Attack Chain

1. The attacker performs reconnaissance on targeted Japanese companies, gathering information on employee names and roles within HR and finance departments.
2. Spearphishing emails are crafted to impersonate real employees or even CEOs at the targeted companies. The emails often include the targeted company’s name in the subject line to enhance credibility.
3. The emails are sent to employees during Japan’s tax filing and organizational change season, increasing the likelihood of the recipients opening the messages due to the expected volume of HR and financial communications.
4. The emails contain malicious attachments, such as ZIP or RAR archives, or links leading to malicious files hosted on public file-sharing services like gofile[.]io or WeTransfer.
5. The malicious files are named to resemble common HR, financial, or tax-related documents, such as “Salary Adjustment Notice” or “Notice regarding personnel changes and salary adjustments.”
6. When the recipient opens the malicious file, it drops ValleyRAT (detected as Win64/Valley by ESET products), a remote access trojan.
7. ValleyRAT enables the attacker to take remote control of the compromised machine, harvest sensitive information, and monitor user activity.
8. The attacker establishes persistence within the targeted environment, allowing for continued access and the potential for further malicious activities, such as data exfiltration or deploying additional malware.

Impact

Successful exploitation of this campaign can lead to a significant compromise of Japanese organizations, particularly manufacturers and businesses involved in finance, healthcare, education, gaming, government and cybersecurity. The deployment of ValleyRAT allows the attacker to gain remote access to compromised systems, potentially leading to the theft of sensitive financial data, intellectual property, and confidential employee information. This can result in financial losses, reputational damage, and legal repercussions for the affected organizations.

Recommendation

• Deploy the “Detect ValleyRAT Execution” Sigma rule to identify instances where ValleyRAT is executed on endpoints (Sigma rule).
• Monitor email traffic for subjects containing company names along with keywords related to tax, HR, and salary adjustments, and alert on unusual patterns (email logs).
• Block connections to known malicious file hosting services like gofile[.]io and WeTransfer at the network level, as these are used to deliver the malicious payloads (network_connection logs).
• Educate employees to verify any requests related to salary changes, tax penalties, or personnel updates through separate channels (awareness training).
• Implement multi-factor authentication (MFA) for all email accounts to prevent unauthorized access (authentication logs).