Fake Huorong Security Website Spreads ValleyRAT Malware
The fake Huorong Security website (huoronga[.]com) is a near-perfect visual imitation of the legitimate huorong.cn, designed to lure security-conscious users searching for antivirus downloads. It features familiar branding, Chinese text (火绒), and a prominent download button that serves malware-laden ZIP files without raising immediate red flags.
The page mimics Huorong’s official layout with product logos, promotional banners, and calls-to-action for free downloads, exploiting typosquatting where users add an extra “a”. Downloads redirect via hndqiuebgibuiwqdhr[.]cyou to Cloudflare R2-hosted BR火绒445[.]zip, blending legitimate services for credibility. No overt malware warnings appear; it blends seamlessly with real sites in search results.
After clicking the download button on the fake Huorong Security site (huoronga[.]com), users receive BR火绒445[.]zip via redirects, leading to a trojanized NSIS installer that deploys ValleyRAT stealthily. The process mimics a legitimate antivirus install to bypass suspicion and establish persistence.
The NSIS installer creates a desktop shortcut “火绒.lnk” for illusion of success and extracts files to %Temp%, including decoys like FFmpeg DLLs and fake diagnostics. Malicious drops include WavesSvc64.exe (loader), DuiLib_u.dll (sideloading vector), and box.ini (shellcode).
- WavesSvc64.exe runs, triggering Windows to load DuiLib_u.dll due to side-by-side dependency.
- The malicious DLL decrypts shellcode from box.ini and injects it in-memory via reflective loading.
- PowerShell disables Defender scans on %APPDATA%\trvePath\ and the loader process.
Windows uses DLL sideloading to load malware: WavesSvc64.exe (benign-looking loader) triggers DuiLib_u.dll from the same folder. The malicious DLL decrypts shellcode from box.ini and runs it in memory via reflective injection. This evades detection by abusing trusted search order and legit binaries.
The ValleyRAT backdoor achieves permanence through a multi-step process that disables defenses, embeds deeply in the system, and self-maintains to survive reboots and scans.
Defender Exclusions: The malware first elevates privileges via PowerShell running at high integrity to manipulate Windows Defender settings. It adds exclusions for the persistence folder %APPDATA%\trvePath\ and its core process WavesSvc64.exe, ensuring future scans ignore these locations. This reduces native AV interference without fully disabling the tool.
Scheduled Task Persistence: A key mechanism is creating a scheduled task named “Batteries,” stored as C:\Windows\Tasks\Batteries.job. Triggered on every system boot or user logon, it executes WavesSvc64.exe /run from the persistence directory, reapplying exclusions and re-establishing C2 connections. This blends with legitimate tasks like power management.
File Refresh and Self-Update: To counter signature detection, the backdoor deletes and regenerates its files: WavesSvc64.exe, DuiLib_u.dll, libexpat.dll, box.ini, and vcruntime140.dll. This dynamic rewrite occurs during runtime, complicating remediation—deleting files alone won’t suffice as they regenerate.
Registry Persistence: Configuration for C2 (e.g., encoded yandibaiji0203[.]com) embeds in HKCU\SOFTWARE\IpDates_info. A secondary encrypted blob hides in HKCU\Console\0\451b464b7a6c2ced348c1866b59c362e, likely for staging payloads or configs. These survive user sessions and aid forensic persistence hunting.
ValleyRAT, built on Winos4.0, detects sandboxes via BIOS checks, VirtualBox keys, memory/disk probes, and Chinese locale verification. It anti-debugs by scanning window titles and uses rundll32.exe sans DLL args for modular plugin downloads, creating RWX regions for in-memory ops. The ProcessKiller module targets AV like Huorong itself, Qihoo 360, and Tencent, said by malwarebytes.
C2 occurs over TCP/443 to 161.248.87.250 using a custom binary protocol, mimicking HTTPS but triggering IDS alerts (e.g., ET SIDs 2052875). Post-infection enables keylogging (SetWindowsHookExW), process injection, credential theft from registries/browsers, system recon (hostname, processes), and self-cleanup deleting 10+ files. Mutexes like “2026.2.5” and C:\ProgramData\DisplaySessionContainers.log aid forensics hunting.
Silver Fox (aka Void Arachne), a Chinese APT, favors trojanized Chinese apps like QQ Browser for ValleyRAT delivery. A March 2025 GitHub leak spiked samples 85% post-November 2025, broadening use beyond the group. MITRE ATT&CK maps include T1574.002 (DLL Side-Loading), T1053.005 (Scheduled Task), T1562.001 (Impair Defenses).
Verify domains (stick to huorong.cn); audit Defender exclusions and “Batteries” tasks; block 161.248.87.250; monitor rundll32/WavesSvc64 anomalies. Hunt HKCU\SOFTWARE\IpDates_info and %APPDATA%\trvePath; use EDR for PowerShell abuse.
Site: cybersecuritypath.com
About the Author
