Valak first emerged on the scene as a loader for other threats, but over the past six months, everything has changed for the loader-turned-infostealer.
First observed in late 2019, Valak was once classified by cybersecurity researchers as a malware loader. Valak, deemed "sophisticated" by the Cybereason Nocturnus team, has undergone a host of changes over the past six months, with over 20 version revisions changing the malware from a loader to an independent threat in its own right.
On Thursday, the cybersecurity team said the malware has now changed to "an information stealer to target individuals and enterprises."
After landing on a machine through a phishing attack using Microsoft Word documents containing malicious macros, a .DLL file called "U.tmp" is downloaded and saved to a temporary folder.
Registry keys and values are set and a scheduled task is created to maintain persistence on an infected machine. Next, Valek downloads and executes additional modules for reconnaissance and data theft.
Two main payloads, project.aspx and a.aspx, perform different functions. The former manages registry keys, task scheduling for malicious activities, and persistence, whereas the latter -- internally named PluginHost.exe -- is an executable that manages additional components.
Valak's "ManagedPlugin" module is of particular interest. Functions include a system information grabber that harvests local and domain data; the "Exchgrabber" function which aims to infiltrate Microsoft Exchange by stealing credentials and domain certificates, a geolocation verifier, screenshot capture, and "Netrecon," a network reconnaissance tool.
In addition, the malware will scour infected machines for existing antivirus products.
The most recent Valak variants have been tracked in attacks against Microsoft Exchange servers in what is believed to be enterprise-focused attacks.
"Extracting this sensitive data allows the attacker access to an inside domain user for the internal mail services of an enterprise along with access to the domain certificate of an enterprise" the researchers say. "With systeminfo, the attacker can identify which user is a domain administrator. This creates a very dangerous combination of sensitive data leakage and potentially large scale cyber spying or infostealing. It also shows that the intended target of this malware is first and foremost enterprises."
Valak is currently on version 24. While the overall nature of the link between Valak, Ursnif, and IcedID is not understood, the researchers suggest that there may be "personal ties" and "mutual trust" in play -- and the malware's code indicates there may be links to the Russian-speaking underground community.
Previous and related coverage
- 'Malware-free' attacks now most popular tactic amongst cybercriminals
- Turla hacker group steals antivirus logs to see if its malware was detected
- Telegram fixes privacy-breaking bug that stopped recipient message and image deletion
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0