Recent versions of the Valak malware have been used in attacks targeting Microsoft Exchange servers at organizations in the United States and Germany, Cybereason’s Nocturnus researcher team warns.
Discovered in late 2019, when it was used as a loader for malware such as Ursnif (aka Gozi) and IcedID, Valak has evolved into a sophisticated piece of malware that can be used as an information stealer, targeting individuals and enterprises alike.
Over the past six months, Cybereason Nocturnus has observed more than 30 different variants of the malware, with the more recent versions targeting Exchange servers to exfiltrate enterprise mailing information, passwords, and certificates.
Valak, Nocturnus researchers say, has a modular architecture, thus allowing operators to extend its capabilities through plugin components designed for reconnaissance and information stealing. It also shows a focus on stealth, employing evasive techniques such as Alternate Data Streams (ADS), or the hiding of components in the registry.
Attacks observed in April 2020 revealed features such as a fileless stage (the registry is used to store different components), reconnaissance capabilities (targets user, machine, and network information), geolocation awareness, screen-capture capabilities, support for additional plugins, capabilities for targeting enterprise networks and administrators, and the targeting of Exchange servers.
One of the most important additions to the latest versions of Valak, the security researchers explain, is “PluginHost,” a component responsible for providing communication with the command and control (C&C) server and downloading additional plugins to the compromised host.
The malware is being distributed through Microsoft Word documents that feature malicious macros designed to download and launch a DLL file. The malware connects to two C&C URLs (extracted from a list contained in a malicious JavaScript file) to fetch two payloads, after which it sets specific registry keys and values, and sets persistence via a scheduled task.
In the second stage, Valak downloads additional modules that allow it to perform malicious activities. The previously mentioned payloads, along with the configuration stored in registry keys, are used for these nefarious operations.
The first payload is a JavaScript file (executed by the scheduled task meant for persistence) that runs the second payload, which is the PluginHost plugin management component. It can also download and parse additional payloads, and save payloads as ADS and set scheduled tasks to execute them.
“Our analysis reveals that this time, the payload downloaded by Valak was IcedID. However, the payload can vary, as the attackers can download other payloads to the infected system. In previous infections, Valak downloaded different remote administration tools like putty.exe and NetSupport Manager,” Cybereason Nocturnus explains.
PluginHost’s functionality is divided into four classes (Bot, HTTPClient, Program and Utils), which allows it to download and load additional components of the malware. In earlier versions of the malware, plugins were fetched by the second stage JavaScript via PowerShell.
Downloaded plugins include Systeminfo (for extensive reconnaissance; targets local and domain admins), Exchgrabber (steals Microsoft Exchange data), IPGeo (verifies the geolocation of the target), Procinfo (collects data on running processes), Netrecon (network reconnaissance), and Screencap (captures screenshots).
Two of the downloaded plugins, “Systeminfo” and “Exchgrabber,” are more advanced and complex than the other components and appear to specifically target enterprises, the security researchers note.
Cybereason Nocturnus noticed that there are several URIs that match specific behavior across Valak components, and that the same infrastructure has been used among almost all of its different versions. Moreover, the researchers discovered that Valak’s relationship with other malware is actually multilateral (Ursnif was observed downloading IcedID and Valak).
“Given the fact that both Ursnif and IcedID are considered to be part of the Russian-speaking E-Crime ecosystem, it is possible that the authors of Valak are also part of that Russian-speaking underground community. This community is known to keep rather close ties based on trust and reputation,” the researchers note.
Russian and Arabic language settings were also found in the employed phishing documents, but these could be easily manipulated.
“The extended malware capabilities suggest that Valak can be used independently with or without teaming up with other malware. That being said, it seems as though the threat actor behind Valak is collaborating with other threat actors across the E-Crime ecosystem to create an even more dangerous piece of malware,” Cybereason Nocturnus concludes.
Related: Silent Night: A New Malware-as-a-Service Banking Trojan Analyzed
Related: Rise in Malware Using Encryption Shows Importance of Network Traffic Inspection