Valak targets Microsoft Exchange servers to steal enterprise data

The malware has been “dramatically changed” in the past six months.

How this powerful Android malware stayed hidden for years as it spied on thousands of users

Valak first emerged on the scene as a loader for other threats, but over the past six months, everything has changed for the loader-turned-infostealer. 

The malware has been spotted in active campaigns mainly focused entities in the US and Germany, having previously been bundled together with Ursnif and IcedID banking Trojan payloads (1,2). 

First observed in late 2019, Valak was once classified by cybersecurity researchers as a malware loader. Valak, deemed "sophisticated" by the Cybereason Nocturnus team, has undergone a host of changes over the past six months, with over 20 version revisions changing the malware from a loader to an independent threat in its own right. 

See also: Telegram says 'whopper' DDoS attack launched mostly from China

On Thursday, the cybersecurity team said the malware has now changed to "an information stealer to target individuals and enterprises."

After landing on a machine through a phishing attack using Microsoft Word documents containing malicious macros, a .DLL file called "U.tmp" is downloaded and saved to a temporary folder.

A WinExec API call is then made and JavaScript code is downloaded, leading to the creation of connections to command-and-control (C2) servers. Additional files are then downloaded, decoded using Base64 and an XOR cipher, and the main payload is then deployed. 

CNET: That used or refurbished Android phone might be unsafe: 6 things to know

Registry keys and values are set and a scheduled task is created to maintain persistence on an infected machine. Next, Valek downloads and executes additional modules for reconnaissance and data theft. 

Two main payloads, project.aspx and a.aspx, perform different functions. The former manages registry keys, task scheduling for malicious activities, and persistence, whereas the latter -- internally named PluginHost.exe -- is an executable that manages additional components.

Valak's "ManagedPlugin" module is of particular interest. Functions include a system information grabber that harvests local and domain data; the "Exchgrabber" function which aims to infiltrate Microsoft Exchange by stealing credentials and domain certificates, a geolocation verifier, screenshot capture, and "Netrecon," a network reconnaissance tool. 

In addition, the malware will scour infected machines for existing antivirus products. 

TechRepublic: Akamai CTO on how bots are used online in legal and illegal ways

The most recent Valak variants have been tracked in attacks against Microsoft Exchange servers in what is believed to be enterprise-focused attacks.

"Extracting this sensitive data allows the attacker access to an inside domain user for the internal mail services of an enterprise along with access to the domain certificate of an enterprise" the researchers say. "With systeminfo, the attacker can identify which user is a domain administrator. This creates a very dangerous combination of sensitive data leakage and potentially large scale cyber spying or infostealing. It also shows that the intended target of this malware is first and foremost enterprises."

Valak is currently on version 24. While the overall nature of the link between Valak, Ursnif, and IcedID is not understood, the researchers suggest that there may be "personal ties" and "mutual trust" in play -- and the malware's code indicates there may be links to the Russian-speaking underground community.

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0