“`html
Chinese cyber adversaries known as Silver Fox are targeting Indian institutions via advanced phishing operations that mimic genuine income tax documents.
This attack campaign leverages authentic-looking emails from the Income Tax Department to deceive individuals into downloading a harmful executable masquerading as a tax-related file.
Upon activation, victims are redirected to a command-and-control server, which triggers a multifaceted infection sequence aimed at circumventing security measures and establishing enduring access to compromised networks.
The assault initiates with a misleading email that contains a PDF file featuring an Indian company’s name. Once opened, the PDF directs users to a malicious website that downloads a file labeled “tax_affairs.exe.”
This initial payload functions as a loader for various stages of malware, each crafted to obscure its real intent while preserving extensive access to victim systems.
The threat illustrates how assailants capitalize on socially engineered documents paired with trusted file formats to navigate around conventional security barriers.
.webp)
Analysts from CloudSEK determined the malware during the second section of their investigation, uncovering that the campaign had previously been wrongly assigned to other threat actors.
This finding underscores how precise threat attribution shields organizations from mistakenly implementing incorrect countermeasures against the genuine aggressor.
Recognizing the original source of assaults enables security teams to predict future strategies and enact tailored counteractions specific to Silver Fox’s operational methods.
DLL hijacking
The infection strategy is based on a method known as DLL hijacking to trigger the primary payload. The first phase drops a legitimate executable named Thunder.exe, created by the Chinese software firm Xunlei.
This signed binary is weaponized by placing a harmful DLL file titled libexpat.dll in the identical temporary directory. When Thunder.exe operates, Windows loads the counterfeit DLL instead of the genuine one based on the standard DLL search sequence, executing the intruder’s code while appearing entirely authentic.
.webp)
The malicious DLL incorporates extensive anti-analysis capabilities before engaging in genuine infection tasks.
It inspects active processes to identify security research programs and sandboxes, then evaluates system resources to confirm the machine meets infection prerequisites. If any analysis tools are detected, the malware self-terminates to evade detection.
Upon successful completion of these evaluations, the DLL disables Windows Update services and retrieves an encrypted file named box.ini from the temporary directory.
.webp)
This encrypted payload is decrypted utilizing hardcoded cryptographic keys and executed as raw machine code directly in system memory, leaving minimal footprints on the hard disk.
The ultimate payload is Valley RAT, a remote access tool that establishes a continuous command and control framework on infected networks.
Valley RAT employs a sophisticated three-tier failover system to maintain communication with attacker servers, automatically switching between primary, secondary, and tertiary command hubs if connections falter.
The malware retains its configuration within the Windows registry as binary data, enabling attackers to update command and control locations without needing to reinstall the malware.
It accommodates multiple communication protocols, including HTTP, HTTPS, and raw TCP sockets, complicating simple network blocking efforts.
Once activated, Valley RAT can execute commands from the attacker, capture keystrokes, extract credentials, transfer files, and deploy further malicious components as needed.
The modular design permits operators to tailor each infection with distinctive capabilities customized to the target’s significance and role within the compromised organization, rendering this a notably severe threat to Indian businesses.
“`