Technical Analysis & Remediation
MITRE ATT&CK Mapping
T1036 (Masquerading)
Use of fake domains (e.g., huoronga[.]com) mimicking huorong.cn.
T1562.001 (Impair Defenses: Disable or Modify Tools)
Uses PowerShell to add Windows Defender exclusions for its persistence directory (%APPDATA%\trvePath\) and main process (WavesSvc64.exe).
T1053.005 (Scheduled Task/Job)
Creates C:\Windows\Tasks\Batteries.job to establish persistence across reboots.
T1055 (Process Injection)
Injects code into other processes for stealthy execution.
T1119 / T1056.001 (Collection / Keylogging)
Captures keystrokes and reads browser cookie files.
CVE Profile
N/A [CISA KEV Status: Inactive].
The attack explicitly relies on user execution and does not leverage vulnerability exploitation.
Telemetry
Hashes (SHA-256)
NSIS Installer 72889737c11c36e3ecd77bf6023ec6f2e31aecbc441d0bdf312c5762d073b1f4
WavesSvc64.exe db8cbf938da72be4d1a774836b2b5eb107c6b54defe0ae631ddc43de0bda8a7e
Network / C2
161.248.87[.]250 (TCP 443)
Encoded C2: yandibaiji0203[.]com
Redirector
hndqiuebgibuiwqdhr[.]cyou
Registry Keys & File Paths
HKCU\SOFTWARE\IpDates_info
HKCU\Console\0\451b464b7a6c2ced348c1866b59c362e
C:\ProgramData\DisplaySessionContainers.log
Constraint
The structure resembles a modular loader, as telemetry confirms the malware dynamically deletes and rewrites its core files to evade signature detection while fetching additional payloads.
Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)
GOVERN (GV) – Crisis Management & Oversight
Command
Initiate internal advisory regarding software procurement policies; restrict downloading security software from unverified search engine results.
DETECT (DE) – Monitoring & Analysis
Command
Deploy SIEM queries for outbound connections to 161.248.87[.]250 over TCP 443.
Command
Hunt for Windows Defender exclusion modifications involving WavesSvc64.exe or %APPDATA%\trvePath\.
RESPOND (RS) – Mitigation & Containment
Command
Isolate endpoints exhibiting the Batteries.job scheduled task.
Command
Terminate WavesSvc64.exe processes and purge the associated %APPDATA%\trvePath\ directory.
Command
Block the provided typo domains and redirectors (huoronga[.]com, hndqiuebgibuiwqdhr[.]cyou) at the perimeter firewall/DNS sinkhole.
RECOVER (RC) – Restoration & Trust
Command
Validate clean state by ensuring HKCU\SOFTWARE\IpDates_info is removed and Defender exclusions are restored to baseline.
Command
Rotate all credentials and session cookies for users on compromised endpoints, given the malware's confirmed cookie-stealing and keylogging capabilities.
IDENTIFY & PROTECT (ID/PR) – The Feedback Loop
Command
Implement AppLocker or WDAC policies to prevent execution of unapproved NSIS installers from user-space directories.
Remediation - THE HOME USER TRACK (Safety Focus)
Priority 1: Safety
Command
"Disconnect from the internet immediately." if you recently downloaded Huorong Security from a search engine result and experience performance issues or altered Windows Defender settings.
Command
"Do not log into banking/email until verified clean."
Priority 2: Identity
Command
Reset passwords and MFA using a known clean device (e.g., phone on 5G), as ValleyRAT actively logs keystrokes and steals browser cookies.
Priority 3: Persistence
Command
Check Scheduled Tasks for a task named "Batteries" and remove it.
Command
Manually review Windows Defender exclusions under Virus & threat protection settings. Remove any unauthorized exclusions (specifically looking for trvePath or WavesSvc64.exe).
Hardening & References
Baseline
CIS Benchmarks for Windows 10/11 (Enforce Standard User privileges to block unprompted scheduled task creation).
Framework
NIST CSF 2.0 / SP 800-61r3.
TTP Summary
Typosquatting → Malicious NSIS Installer → PowerShell Defender Tampering → Registry/Task Persistence → C2 via TCP 443.
Source
Malwarebytes Threat Intelligence
CyberSecurity News
cybersecuritynews.com
