Attack Chain

1. The attacker performs reconnaissance on targeted Japanese companies, gathering information on employee names and roles within HR and finance departments.
2. Spearphishing emails are crafted to impersonate real employees or even CEOs at the targeted companies. The emails often include the targeted company’s name in the subject line to enhance credibility.
3. The emails are sent to employees during Japan’s tax filing and organizational change season, increasing the likelihood of the recipients opening the messages due to the expected volume of HR and financial communications.
4. The emails contain malicious attachments, such as ZIP or RAR archives, or links leading to malicious files hosted on public file-sharing services like gofile[.]io or WeTransfer.
5. The malicious files are named to resemble common HR, financial, or tax-related documents, such as “Salary Adjustment Notice” or “Notice regarding personnel changes and salary adjustments.”
6. When the recipient opens the malicious file, it drops ValleyRAT (detected as Win64/Valley by ESET products), a remote access trojan.
7. ValleyRAT enables the attacker to take remote control of the compromised machine, harvest sensitive information, and monitor user activity.
8. The attacker establishes persistence within the targeted environment, allowing for continued access and the potential for further malicious activities, such as data exfiltration or deploying additional malware.

Impact

Successful exploitation of this campaign can lead to a significant compromise of Japanese organizations, particularly manufacturers and businesses involved in finance, healthcare, education, gaming, government and cybersecurity. The deployment of ValleyRAT allows the attacker to gain remote access to compromised systems, potentially leading to the theft of sensitive financial data, intellectual property, and confidential employee information. This can result in financial losses, reputational damage, and legal repercussions for the affected organizations.

Recommendation

• Deploy the “Detect ValleyRAT Execution” Sigma rule to identify instances where ValleyRAT is executed on endpoints (Sigma rule).
• Monitor email traffic for subjects containing company names along with keywords related to tax, HR, and salary adjustments, and alert on unusual patterns (email logs).
• Block connections to known malicious file hosting services like gofile[.]io and WeTransfer at the network level, as these are used to deliver the malicious payloads (network_connection logs).
• Educate employees to verify any requests related to salary changes, tax penalties, or personnel updates through separate channels (awareness training).
• Implement multi-factor authentication (MFA) for all email accounts to prevent unauthorized access (authentication logs).

Attack Chain

Due to limited information, a detailed attack chain cannot be fully constructed. However, assuming a typical phishing-based delivery mechanism, a possible attack chain might look like this:

1. Initial Access: The attacker sends a spearphishing email to a target, posing as a tax authority.
2. Delivery: The email contains a malicious attachment (e.g., a Microsoft Office document or PDF) or a link to a malicious website.
3. Exploitation: If the attachment is opened, it exploits a vulnerability (e.g., a macro or a CVE in the document reader) to execute arbitrary code.
4. Installation: The attacker installs a backdoor or malware on the victim’s machine.
5. Command and Control: The malware establishes a connection with a command-and-control (C2) server to receive instructions.
6. Lateral Movement: The attacker uses the compromised machine to move laterally within the network, accessing other systems and resources.
7. Data Exfiltration: The attacker identifies and exfiltrates sensitive data, such as financial records or personal information.
8. Final Objective: The ultimate goal could be data theft, financial gain, or espionage.

Impact

Successful RagaSerpent attacks leveraging a tax audit theme could lead to significant data breaches, financial losses, and reputational damage for targeted organizations. Individuals could experience identity theft and financial fraud. The multi-country scope suggests potentially widespread impact, affecting government agencies, financial institutions, and individuals across different regions. The specific damage will depend on the nature of the compromised data and the attacker’s objectives.

Recommendation

• Implement and tune the provided Sigma rule to detect suspicious process executions potentially related to malicious document exploits (rules[0]).
• Enable and review process creation logs (Sysmon or equivalent) for better visibility into potential exploit attempts as outlined in the rule’s logsource (rules[0].logsource).
• Deploy the generic network connection Sigma rule to identify potentially malicious outbound communication from unusual processes (rules[1]).