Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Improved Version of Valak Malware Targets Enterprises in US, Germany

Recent versions of the Valak malware have been used in attacks targeting Microsoft Exchange servers at organizations in the United States and Germany, Cybereason’s Nocturnus researcher team warns.

Recent versions of the Valak malware have been used in attacks targeting Microsoft Exchange servers at organizations in the United States and Germany, Cybereason’s Nocturnus researcher team warns.

Discovered in late 2019, when it was used as a loader for malware such as Ursnif (aka Gozi) and IcedID, Valak has evolved into a sophisticated piece of malware that can be used as an information stealer, targeting individuals and enterprises alike.

Over the past six months, Cybereason Nocturnus has observed more than 30 different variants of the malware, with the more recent versions targeting Exchange servers to exfiltrate enterprise mailing information, passwords, and certificates.

Valak, Nocturnus researchers say, has a modular architecture, thus allowing operators to extend its capabilities through plugin components designed for reconnaissance and information stealing. It also shows a focus on stealth, employing evasive techniques such as Alternate Data Streams (ADS), or the hiding of components in the registry.

Attacks observed in April 2020 revealed features such as a fileless stage (the registry is used to store different components), reconnaissance capabilities (targets user, machine, and network information), geolocation awareness, screen-capture capabilities, support for additional plugins, capabilities for targeting enterprise networks and administrators, and the targeting of Exchange servers.

One of the most important additions to the latest versions of Valak, the security researchers explain, is “PluginHost,” a component responsible for providing communication with the command and control (C&C) server and downloading additional plugins to the compromised host.

The malware is being distributed through Microsoft Word documents that feature malicious macros designed to download and launch a DLL file. The malware connects to two C&C URLs (extracted from a list contained in a malicious JavaScript file) to fetch two payloads, after which it sets specific registry keys and values, and sets persistence via a scheduled task.

In the second stage, Valak downloads additional modules that allow it to perform malicious activities. The previously mentioned payloads, along with the configuration stored in registry keys, are used for these nefarious operations.

Advertisement. Scroll to continue reading.

The first payload is a JavaScript file (executed by the scheduled task meant for persistence) that runs the second payload, which is the PluginHost plugin management component. It can also download and parse additional payloads, and save payloads as ADS and set scheduled tasks to execute them.

“Our analysis reveals that this time, the payload downloaded by Valak was IcedID. However, the payload can vary, as the attackers can download other payloads to the infected system. In previous infections, Valak downloaded different remote administration tools like putty.exe and NetSupport Manager,” Cybereason Nocturnus explains.

PluginHost’s functionality is divided into four classes (Bot, HTTPClient, Program and Utils), which allows it to download and load additional components of the malware. In earlier versions of the malware, plugins were fetched by the second stage JavaScript via PowerShell.

Downloaded plugins include Systeminfo (for extensive reconnaissance; targets local and domain admins), Exchgrabber (steals Microsoft Exchange data), IPGeo (verifies the geolocation of the target), Procinfo (collects data on running processes), Netrecon (network reconnaissance), and Screencap (captures screenshots).

Two of the downloaded plugins, “Systeminfo” and “Exchgrabber,” are more advanced and complex than the other components and appear to specifically target enterprises, the security researchers note.

Cybereason Nocturnus noticed that there are several URIs that match specific behavior across Valak components, and that the same infrastructure has been used among almost all of its different versions. Moreover, the researchers discovered that Valak’s relationship with other malware is actually multilateral (Ursnif was observed downloading IcedID and Valak).

“Given the fact that both Ursnif and IcedID are considered to be part of the Russian-speaking E-Crime ecosystem, it is possible that the authors of Valak are also part of that Russian-speaking underground community. This community is known to keep rather close ties based on trust and reputation,” the researchers note.

Russian and Arabic language settings were also found in the employed phishing documents, but these could be easily manipulated.

“The extended malware capabilities suggest that Valak can be used independently with or without teaming up with other malware. That being said, it seems as though the threat actor behind Valak is collaborating with other threat actors across the E-Crime ecosystem to create an even more dangerous piece of malware,” Cybereason Nocturnus concludes.

Related: Silent Night: A New Malware-as-a-Service Banking Trojan Analyzed

Related: Rise in Malware Using Encryption Shows Importance of Network Traffic Inspection

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.