Connect with us

Hi, what are you looking for?



Enterprises in Americas, Europe Targeted With Valak Information Stealer

The Valak information stealer is being distributed in ongoing campaigns aimed at enterprises in North America, South America, Europe and likely other regions as well, Cisco Talos reports.

The Valak information stealer is being distributed in ongoing campaigns aimed at enterprises in North America, South America, Europe and likely other regions as well, Cisco Talos reports.

Employed in numerous attacks over the past year, Valak is being distributed through malicious spam and typically alongside secondary payloads such as Gozi/Ursnif and IcedID. Campaigns detailed earlier this year revealed a focus on the United States and Germany, but the threat’s reach has expanded.

What makes Valak stand out in the crowd is the use of stolen email threads for distribution, which increases the likelihood of the victim opening the delivered attachments. Over the past several months, the malware has enjoyed increased distribution, with some enterprises targeted repeatedly.

Recently observed campaigns, Talos’ security researchers reveal, targeted sectors such as energy, healthcare, manufacturing, transportation, finance, and insurance.

In one of the observed attacks targeting a bank, the adversary sent a reply to a months-old email, and included a password-protected ZIP file and email signatures to provide a sense of legitimacy. Other emails were sent hours later to the same recipient.

“This highlights why these campaigns can have a high success rate: They are sent from existing email threads between colleagues or acquaintances. This simple change will greatly increase the likelihood of success. This combined with password-protected ZIP files can defeat a lot of email security and increase the likelihood of the email hitting the target’s inbox,” Talos notes.

Other similar attempts to compromise the same bank were also observed, including one in which an automated email sent by LinkedIn was hijacked.

In attacks targeting an insurance provider, the hackers sent responses to affidavit email threads after compromising email accounts at law firms.

Advertisement. Scroll to continue reading.

A common feature of these attacks was the use of password-protected ZIP files as attachments, which increased the likelihood of bypassing detection systems. In some cases, the researchers discovered that some of these spam messages were even forwarded to multiple recipients within the organization, including IT support personnel.

“This really illustrates two points. The first is that it was able to bypass what email security, if any, was present at the enterprises in question. Additionally, it shows that not all users are savvy enough to open password-protected attachments and it may limit users, who would otherwise be susceptible to this attack, from being able to infect themselves,” Talos points out.

The attacks were observed leveraging several languages, including English, German, and Spanish. Most of the attacks targeted enterprises, but some of them were aimed at personal email accounts. The poor choice of emails to respond to has revealed some issues with the automation the threat actor uses, Talos notes.

The campaigns were tracked as far back as early 2020, but most of the attacks (95%) were carried out in May and June. While the attackers don’t send large spam volumes, their technique is believed to have returned a high rate of success.

Related: Improved Version of Valak Malware Targets Enterprises in US, Germany

Related: Silent Night: A New Malware-as-a-Service Banking Trojan Analyzed

Related: Rise in Malware Using Encryption Shows Importance of Network Traffic Inspection

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...