The Valak information stealer is being distributed in ongoing campaigns aimed at enterprises in North America, South America, Europe and likely other regions as well, Cisco Talos reports.
Employed in numerous attacks over the past year, Valak is being distributed through malicious spam and typically alongside secondary payloads such as Gozi/Ursnif and IcedID. Campaigns detailed earlier this year revealed a focus on the United States and Germany, but the threat’s reach has expanded.
What makes Valak stand out in the crowd is the use of stolen email threads for distribution, which increases the likelihood of the victim opening the delivered attachments. Over the past several months, the malware has enjoyed increased distribution, with some enterprises targeted repeatedly.
Recently observed campaigns, Talos’ security researchers reveal, targeted sectors such as energy, healthcare, manufacturing, transportation, finance, and insurance.
In one of the observed attacks targeting a bank, the adversary sent a reply to a months-old email, and included a password-protected ZIP file and email signatures to provide a sense of legitimacy. Other emails were sent hours later to the same recipient.
“This highlights why these campaigns can have a high success rate: They are sent from existing email threads between colleagues or acquaintances. This simple change will greatly increase the likelihood of success. This combined with password-protected ZIP files can defeat a lot of email security and increase the likelihood of the email hitting the target’s inbox,” Talos notes.
Other similar attempts to compromise the same bank were also observed, including one in which an automated email sent by LinkedIn was hijacked.
In attacks targeting an insurance provider, the hackers sent responses to affidavit email threads after compromising email accounts at law firms.
A common feature of these attacks was the use of password-protected ZIP files as attachments, which increased the likelihood of bypassing detection systems. In some cases, the researchers discovered that some of these spam messages were even forwarded to multiple recipients within the organization, including IT support personnel.
“This really illustrates two points. The first is that it was able to bypass what email security, if any, was present at the enterprises in question. Additionally, it shows that not all users are savvy enough to open password-protected attachments and it may limit users, who would otherwise be susceptible to this attack, from being able to infect themselves,” Talos points out.
The attacks were observed leveraging several languages, including English, German, and Spanish. Most of the attacks targeted enterprises, but some of them were aimed at personal email accounts. The poor choice of emails to respond to has revealed some issues with the automation the threat actor uses, Talos notes.
The campaigns were tracked as far back as early 2020, but most of the attacks (95%) were carried out in May and June. While the attackers don’t send large spam volumes, their technique is believed to have returned a high rate of success.