Chrome Installer Impersonation Campaign Targets China-Based Victims with ValleyRAT Trojan

Summary

• Howler Cell identified a new 32-bit malicious installer disguised as a Google Chrome installer, which kickstarts a multi-stage delivery chain, ultimately deploying the ValleyRAT remote access trojan.

• The Howler Cell team identified Chinese language strings within the binary, including the internal DLL name, indicating that the installer is Chinese in origin.

• The installer covers its activity by delivering a legitimate version of Chrome in the foreground to allay suspicion.

• The targeted security solutions are known products from Chinese vendors, indicating that the campaign is targeting entities within China. Groups such as TA428 have a history of deploying ValleyRAT, and have a strong focus on the Government, Technology, Defense, and Critical Infrastructure industries in China.

• Along with allowing a threat actor remote access, ValleyRAT’s capabilities include remote command execution, file upload/download, and persistence mechanisms. While the ultimate objective of the campaign is unknown, there are clear opportunities for cyber espionage

Technical Analysis 

SHA256: a237f31b2d655dc2dd473db49a6bc599d8ddd39c084b6b28e2af011907080b07

Attack Chain

Figure 1 Attack Chain of ValleyRAT

We identified that the Chrome installer was created using InnoSetup and extracted the associated files, including the InnoSetup script (ISS) and the compiled Pascal code.

Figure 2 Directory structure within Chrome Setup Installer

When executed, the installer drops four files to disk. These include a legitimately signed Google Chrome installer and several archived and encrypted components used to carry out malicious activity in the background. An overview of dropped files is provided in Table 1.

Table 1 Overview of dropped files

InnoSetup allows authors to customize setup behavior using Pascal scripting. In this case, the embedded compiled Pascal code was extracted and decompiled. During execution, the script uses the PowerShell Add-MpPreference cmdlet to create a Microsoft Defender exclusion for the target folder where additional malicious files are staged.

• Staging Folder - C:\Users\Public\Documents\WindowsData\

The script has the password embedded within it to un-archive the password-protected archive (Main.xml) and extracts the files to the target folder.

Figure 3 Hardcoded password highlighted within the script

Man.exe

During the unarchiving process, a 32-bit C++ compiled executable named man.exe is dropped and executed to continue the malicious attack chain.

• SHA-256: 153b27fba518f9d21ef487befdb0f05286a851661c2a41b1ca044abb60f3afe0

On execution, Man.exe begins by creating a vector list of installed security products. This list is later used to remove their driver callbacks using a kernel driver, helping the malware evade detection and maintain persistence.

Figure 4 Vector initialization for targeted security processes

After creating the vector list, the executable drops a password-protected archive embedded within itself into the staging folder with the filename tree.exe. It then extracts the contents using the Chromium unzip library with the password Server8888. The files listed in Table 2 were dropped as a result of extraction.

Table 2 Overview of Extracted Files

After extracting additional components, man.exe launches bypass.exe using the WdcRunTaskAsInteractiveUser method. This API is resolved dynamically at runtime using GetProcAddress, as shown in Figure 5.

Figure 5 Invoking bypass.exe via WdcRunTaskAsInteractiveUser

Bypass.exe

Bypass.exe is responsible for invoking NVIDIA.exe with elevated privileges by abusing the CMSTP COM interface.

Figure 6 Bypass.exe invokes Nvidia.exe via UAC bypass

Nvidia.exe

The purpose of this executable is to read an encrypted file named Windows.log and decrypt it using a custom RC4 key: ??Bid@locale@std. After decryption, a DLL (original name: R0Kill.dll) is loaded into memory. The executable then invokes its exported function named NtHandleCallback.

Figure 7 Decryption of Windows.log

When invoked, the export function attempts to get a handle to NSecKrnl64.sys if it exists. It then tries to terminate the security solution processes, whose names are hardcoded as strings within the unpacked executable, as shown in Figure 8.

Figure 8 Terminating Security solutions using NSecKrnl64.sys

While Nvidia.exe is running with elevated privileges, man.exe continues its execution and extracts another password-protected archive Me.key using the password ‘killstartup’. The following files are dropped into the staging folder as a result of this extraction. The overview of extracted files is shown in Table 3.

Table 3 Overview of Extracted Files

NtHandleCallback.exe: Log.dll - Valley RAT Downloader

NtHandleCallback.exe, a legitimately signed binary by Hangzhou Shunwang Technology Co.,Ltd., is executed following the extraction. It is abused to sideload the malicious DLL named Log.dll.

When loaded, the log.dll functions as a loader for Valley RAT Downloader. It reads the RC4-encrypted file Server.log from the staging folder and decrypts it in memory using the same RC4 key (??Bid@locale@std) as used by Nvidia.exe.

Figure 9 RC4 decryption reproduced in CyberChef

The DLL then traverses the export directory of the decrypted DLL (original name: 上线模块.dll, translated as Online module.dll) and invokes its exported function NtHandleCallback. This function is responsible for downloading the final payload from the embedded C2 server and executing it. The configuration extracted from the binary is shown in Figure 10.

Figure 10 Downloader Configuration

• C2: 202[.]95[.]11[.]152
• Port: 8880
• Generation Date: 2025/07/03

Once a successful connection is established to the C2 server, the payload is downloaded and stored in the registry under the key d33f351a4aeea5e608853d1a56661059. The content is then read from the registry and injected into a newly spawned tracerpt.exe process via the Thread Execution Hijacking technique, as illustrated in Figure 11.

Figure 11 Thread Injection into tracerpt.exe

Based on prior analysis of WinOS 4.0 and known ValleyRAT samples, we have determined that the final downloaded payload is ValleyRAT.

Kernel Driver Load – Rwdriver.sys

Man.exe continues execution by registering a driver as a service using the sc command-line utility, then starts the service.

Figure 12 Kernel driver registered as a service

Main.exe

To advance the attack chain, man.exe runs main.exe with the arguments “Blind mode” and “Restore mode”, each invoked individually using WinExec.

Main.exe is a compiled version of the open-source project called BlindEDR. We also found references to this project and the POC to abuse them in a Chinese forum.

Based on the information available, we attribute main.exe as a slightly modified version of BlindEDR tool. It is used to clear kernel callbacks registered by the list of monitored security solutions using the registered driver rwdriver.sys, which is shown in Figure 13.

 Figure 13 BlindEDR command line options 

List of targeted security solutions

• ZhuDongFangYu.exe
• 360tray.exe
• kscan.exe
• kewsprotect64.exe
• kxescore.exe
• kxetray.exe
• HipsMain.exe
• HipsTray.exe
• HipsDaemon.exe
• GMDL.exe
• QMPersonalCenter.exe
• QQPCPatch.exe
• QQPCRealTimeSpeedup.exe
• QQPCRTP.exe
• QQPCTray.exe
• QQRepair.exe
• 360sd.exe
• 360rp.exe
• 360Tray.exe
• 360Safe.exe
  
  

Clearing Traces

After completing the attack chain, man.exe creates a batch file named delete_self.bat to remove all files it had dropped during execution.

Figure 14 Clearing traces using delete_self.bat

Mitigation

These are general steps that apply broadly to mitigate ValleyRAT.

• Isolate devices that are impacted by the risk and follow the organization's incident response guidelines.
• Prioritize mitigation of the highest risk assets first.
• Keep OS, applications, and drivers patched.
• Remove unused software, disable non-approved services like PSEXECSVC.
• AppLocker mitigation could be enforced, use application whitelisting so only approved binaries run.
• Restrict administrative privileges on the user accounts.
• Require MFA on all remote login paths (RDP, SSH, VPN).
• Deploy EDR agents with the capability to detect common RAT behaviors (injection, persistence, memory anomalies).
• Train users to recognize phishing, malicious attachments, and links.

Conclusion

Our analysis revealed Chinese language strings within the binary, including the internal DLL name, and identified that the targeted security solutions are products from Chinese vendors. This indicates the attackers have knowledge of the regional software environment and suggests the campaign is tailored to target victims in China. The use of localized artifacts, combined with selective targeting, points to a focused effort against systems in Chinese-speaking regions.

Appendix

MITRE Coverage

Execution:

• T1047 - Windows Management Instrumentation
• T1106 - Native API
• T1059 - Command and Scripting Interpreter
• T1053 - Scheduled Task/Job
• 002 - User Execution: Malicious FIle

Persistence:

• 002 - DLL Side-Loading

Defense Evasion:

• T1078 - Valid Accounts
• T1134 - Access Token Manipulation
• T1055 - Process Injection
• T1140 - Deobfuscate/Decode Files or Information
• T1027 - Obfuscated Files or Information
• 002 - Software Packing
• T1036 - Masquerading
• T1497 - Virtualization/Sandbox Evasion

Discovery:

• T1012 – Query Registry
• T1124 - System Time Discovery
• T1087 - Account Discovery
• T1083 - File and Directory Discovery
• T1082 - System Information Discovery
• 001 - Security Software Discovery
• T1057 - Process Discovery
• T1010 - Application Window Discovery
• T1033 - System Owner/User Discovery
• T1614 – System Location Discovery

Collection:

• T1056 - Input Capture
• T1560 - Archive Collected Data

Command and Control:

• T1105 – Ingress Tool Transfer

IOC’s

C2

• 202[.]95[.]11[.]152:8880

Back to Top