Security Experts:

Connect with us

Hi, what are you looking for?



Improved Version of Valak Malware Targets Enterprises in US, Germany

Recent versions of the Valak malware have been used in attacks targeting Microsoft Exchange servers at organizations in the United States and Germany, Cybereason’s Nocturnus researcher team warns.

Recent versions of the Valak malware have been used in attacks targeting Microsoft Exchange servers at organizations in the United States and Germany, Cybereason’s Nocturnus researcher team warns.

Discovered in late 2019, when it was used as a loader for malware such as Ursnif (aka Gozi) and IcedID, Valak has evolved into a sophisticated piece of malware that can be used as an information stealer, targeting individuals and enterprises alike.

Over the past six months, Cybereason Nocturnus has observed more than 30 different variants of the malware, with the more recent versions targeting Exchange servers to exfiltrate enterprise mailing information, passwords, and certificates.

Valak, Nocturnus researchers say, has a modular architecture, thus allowing operators to extend its capabilities through plugin components designed for reconnaissance and information stealing. It also shows a focus on stealth, employing evasive techniques such as Alternate Data Streams (ADS), or the hiding of components in the registry.

Attacks observed in April 2020 revealed features such as a fileless stage (the registry is used to store different components), reconnaissance capabilities (targets user, machine, and network information), geolocation awareness, screen-capture capabilities, support for additional plugins, capabilities for targeting enterprise networks and administrators, and the targeting of Exchange servers.

One of the most important additions to the latest versions of Valak, the security researchers explain, is “PluginHost,” a component responsible for providing communication with the command and control (C&C) server and downloading additional plugins to the compromised host.

The malware is being distributed through Microsoft Word documents that feature malicious macros designed to download and launch a DLL file. The malware connects to two C&C URLs (extracted from a list contained in a malicious JavaScript file) to fetch two payloads, after which it sets specific registry keys and values, and sets persistence via a scheduled task.

In the second stage, Valak downloads additional modules that allow it to perform malicious activities. The previously mentioned payloads, along with the configuration stored in registry keys, are used for these nefarious operations.

The first payload is a JavaScript file (executed by the scheduled task meant for persistence) that runs the second payload, which is the PluginHost plugin management component. It can also download and parse additional payloads, and save payloads as ADS and set scheduled tasks to execute them.

“Our analysis reveals that this time, the payload downloaded by Valak was IcedID. However, the payload can vary, as the attackers can download other payloads to the infected system. In previous infections, Valak downloaded different remote administration tools like putty.exe and NetSupport Manager,” Cybereason Nocturnus explains.

PluginHost’s functionality is divided into four classes (Bot, HTTPClient, Program and Utils), which allows it to download and load additional components of the malware. In earlier versions of the malware, plugins were fetched by the second stage JavaScript via PowerShell.

Downloaded plugins include Systeminfo (for extensive reconnaissance; targets local and domain admins), Exchgrabber (steals Microsoft Exchange data), IPGeo (verifies the geolocation of the target), Procinfo (collects data on running processes), Netrecon (network reconnaissance), and Screencap (captures screenshots).

Two of the downloaded plugins, “Systeminfo” and “Exchgrabber,” are more advanced and complex than the other components and appear to specifically target enterprises, the security researchers note.

Cybereason Nocturnus noticed that there are several URIs that match specific behavior across Valak components, and that the same infrastructure has been used among almost all of its different versions. Moreover, the researchers discovered that Valak’s relationship with other malware is actually multilateral (Ursnif was observed downloading IcedID and Valak).

“Given the fact that both Ursnif and IcedID are considered to be part of the Russian-speaking E-Crime ecosystem, it is possible that the authors of Valak are also part of that Russian-speaking underground community. This community is known to keep rather close ties based on trust and reputation,” the researchers note.

Russian and Arabic language settings were also found in the employed phishing documents, but these could be easily manipulated.

“The extended malware capabilities suggest that Valak can be used independently with or without teaming up with other malware. That being said, it seems as though the threat actor behind Valak is collaborating with other threat actors across the E-Crime ecosystem to create an even more dangerous piece of malware,” Cybereason Nocturnus concludes.

Related: Silent Night: A New Malware-as-a-Service Banking Trojan Analyzed

Related: Rise in Malware Using Encryption Shows Importance of Network Traffic Inspection

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.