This is a trick that takes advantage of the people's wide political environment to spread malware, steal information and pose a risk to the security of information systems of agencies, organizations and individuals.
According to the Department of Cyber Security and High-Tech Crime Prevention ( Hanoi City Police), the Valley RAT malware is disguised in a file named "DRAFT RESOLUTION OF THE CONGRESS.exe". When the user opens the file, the malware immediately installs itself into the system, automatically runs every time the computer starts and connects to the control server (C2) at address 27.124.9.13 (port 5689) controlled by hackers. From here, the malware can perform dangerous actions: Steal sensitive information on the user's computer; Take control of the computer; Steal personal accounts, agency accounts; Collect internal documents; Continue spreading the malware to other devices in the same system.
The dangerous factor is that the file interface is disguised to look like a real administrative document, making it easy for users to be confused, especially in the context of many units sending and receiving documents to comment on documents.
Through expanded scanning, the authorities discovered many more malicious files with similar structures, which looked like familiar administrative documents: FINANCIAL REPORT2.exe or BUSINESS INSURANCE PAYMENT.exe; GOVERNMENT'S URGENT OFFICIAL DISPATCH.exe; TAX DECLARATION SUPPORT.exe; PARTY ACTIVITY EVALUATION DOCUMENT.exe or AUTHORIZATION FORM.exe; MINUTES OF REPORT FOR THE THIRD QUARTER.exe
These files are named after the specifics of office work, finance, Party affairs, taxes... increasing the possibility that users will think they are internal documents and open them, creating conditions for malware to spread.
Through technical analysis, Hanoi City Police assessed Valley RAT as particularly dangerous because it possesses characteristics that make it a major threat: Hiding in the system, automatically starting with Windows; Allowing hackers to remotely control the device; Capable of downloading additional malware; Automatically collecting sensitive data and sending it to the control server; Able to record keystrokes, take screenshots, steal passwords saved in the browser; Easily spreading in the internal network system...
Many agencies and organizations use internal email or Zalo, Facebook Messenger to exchange documents, unintentionally creating a favorable environment for malware to spread if only one computer in the system is infected. To ensure information security, the Department of Cyber Security and High-Tech Crime Prevention, Hanoi City Police Department has made specific recommendations: Do not open or download strange files, .exe files from email or social networks, be especially wary of files with the following extensions: .exe; .dll; .bat; .msi... Even if the file is sent from an acquaintance (the account may have been hijacked).
Hanoi police note that free Kaspersky antivirus software has not yet detected this type of malware.
Besides using anti-virus software and firewalls, people need to use Process Explorer to see strange processes without digital signatures; Use TCPView to check the connection; if you see a connection to IP 27.124.9.13, you need to handle it immediately.
People need to receive official warning information, follow recommendations from: Ministry of Public Security ; Ministry of Information and Communications; Local Police; Do not share suspicious files on social networks to avoid spreading; Increase vigilance to protect national network security...
Source: https://baolaocai.vn/canh-bao-ma-doc-valley-rat-gia-danh-du-thao-nghi-quyet-dai-hoi-xiv-cua-dang-post886962.html
![[Photo] General Secretary To Lam and National Assembly Chairman Tran Thanh Man attend the 80th Anniversary of the Traditional Day of the Vietnamese Inspection Sector](https://vphoto.vietnam.vn/thumb/1200x675/vietnam/resource/IMAGE/2025/11/17/1763356362984_a2-bnd-7940-3561-jpg.webp)
Comment (0)