Executive Summary

A new malware distribution campaign is leveraging social engineering to target job seekers with the ValleyRAT remote access trojan. As reported by Trend Micro, attackers are using email lures with executables disguised as compensation or benefits documents. The core of the attack is a DLL side-loading technique that abuses a legitimate, signed executable from the Foxit PDF Reader. This method allows the malware to execute under the guise of a trusted process, evading basic security detections. The campaign highlights the continued effectiveness of combining social engineering with technical evasion tactics like DLL side-loading.

Threat Overview

The attack targets individuals who are likely to be opening documents from unknown sources, such as job applicants or HR professionals. The attack chain is multi-staged and designed for stealth:

1. Social Engineering: The victim receives an email with a compressed file (e.g., a ZIP archive). Inside is an executable file named to look like a document, such as Compensation_Benefits_Commission.exe.
2. Masquerading: The executable uses the Foxit PDF Reader's icon to trick the user into thinking it is a safe PDF file. The file itself is a renamed, legitimate FoxitPDFReader.exe.
3. DLL Side-Loading: When the user runs the executable, the legitimate Foxit program is launched. However, because of the way Windows handles DLL loading, it first loads a malicious DLL (e.g., msvcr100.dll) that has been placed in the same directory. This is a classic example of T1574.002 - DLL Side-Loading.
4. Payload Execution: The malicious DLL executes, launching a batch file which in turn runs a Python script. This script downloads the final ValleyRAT payload from a command-and-control (C2) server.
5. Persistence: The malware establishes persistence by creating an autorun registry key.

Technical Analysis

The campaign's success hinges on the abuse of a trusted, signed executable. By using the legitimate FoxitPDFReader.exe, the attackers bypass security measures that might block unsigned or unknown executables. The DLL side-loading technique allows the malicious code to be loaded into the memory space of the trusted Foxit process, making it harder for EDR and antivirus solutions to detect.

The use of a multi-stage loading process (EXE -> DLL -> BAT -> Python -> Shellcode) is a deliberate obfuscation technique designed to break the analysis chain of automated security tools. The final payload, ValleyRAT, is a potent remote access trojan that gives the attacker capabilities such as:

• Keystroke logging
• Screen capture
• File system access (upload/download)
• Command execution
• Credential theft from browsers and other applications

IOCs

Impact Assessment

A successful infection results in the complete compromise of the victim's computer. For an individual job seeker, this can lead to the theft of personal data, banking credentials, and other sensitive information. If an HR professional is compromised, the attacker could gain a foothold into a corporate network, potentially leading to a much larger breach. The attacker could use this access to steal employee data, deploy ransomware, or conduct espionage.

Detection & Response

• Process Anomaly Detection: Monitor for legitimate applications like FoxitPDFReader.exe loading DLLs from unusual paths (e.g., a user's Downloads folder instead of C:\Program Files\...). EDR solutions should be configured to alert on this behavior. This is an application of D3FEND's D3-PA: Process Analysis.
• Command Line Logging: Enable and monitor command line logging (Windows Event ID 4688). Look for FoxitPDFReader.exe spawning child processes like cmd.exe or python.exe, which is highly anomalous.
• Network IOCs: Block the known C2 IP address (196.251.86.145) at the network perimeter.

Mitigation

1. User Training: Educate users, especially job seekers and HR staff, to be extremely cautious of executable files disguised as documents. Teach them to check file extensions and be wary of files arriving in ZIP archives.
2. Attack Surface Reduction (ASR) Rules: Implement Microsoft Defender ASR rules, such as "Block executable files from running unless they meet a prevalence, age, or trusted list criterion," to prevent novel malicious executables from running.
3. Application Control: Where possible, use application control solutions like AppLocker to prevent applications from running from user-writable directories like Downloads or AppData.
4. Email Security: Use an email gateway that can scan inside archives and identify suspicious executables, even if they are renamed or use legitimate icons.