Valak first surfaced late last year as a loader for other threats. However, over the past six months, it turned out to be the information grabber.
According to ZDNet, the malware was seen in active campaigns and targeted the United States and Germany entities. However, the Cybereason Nocturnus security team said the malware has evolved to "an information stealer to target individuals and enterprises."
The malware's recent versions aimed to steal enterprise mailing information, passwords, and the enterprise certificate at Microsoft Exchange servers. With such an intrusion, Valak may get access to critical enterprise accounts, leading to damage to organizations, brand degradation, and even loss of consumer trust.
Valak's huge transformation
Earlier this month, Valak was previously bundled together with Ursnif and IcedID banking Trojan contents (1,2).
2020-05-22 - #Malspam with password-protected zip attachments pushes #Valak with #IcedID - Paste of info: https://t.co/cC45nRDcuI - Pastebin raw: https://t.co/rJd454Khrl pic.twitter.com/v0DT1lbQFg — Brad (@malware_traffic) May 23, 2020
Valak was previously classified by cybersecurity researchers as a malware loader in late 2019. It was then deemed "sophisticated" by Cybereason Nocturnus team as it went through an overhaul over the past six months, going through over 20 version revisions shifting from a loader to an independent threat.
It enters a machine through a phishing attack using Microsoft Word documents. These contain malicious macros like a .DLL file called "U.tmp," which is then downloaded and stored in a temporary folder.
A WinExec API call is made while a JavaScript code is downloaded, building links to command-and-control (C2) servers. Also, additional files are downloaded and used Base64 and an XOR cipher to decode while the main payload is installed.
To maintain persistence on an infected machine, registry keys and values are set, and a scheduled task is created while Valek downloads and executes additional modules for reconnaissance and data theft.
Two main payloads perform different functions. The project .aspx manages registry keys, task scheduling for malicious activities, and persistence while the a.aspx named PluginHost.exe is executable that manages additional components.
Meanwhile, Valak's "ManagedPlugin" module is of particular interest, which functions contain a system information grabber that collects local and domain data. The "Exchgrabber" function aims to infiltrate Microsoft Exchange by stealing credentials and domain licenses, screenshot capture, a geolocation verifier, and a network reconnaissance tool called "Netrecon."
Also, the malware will scour infected machines for existing antivirus products.
The most recent Valak variants have been tracked in attacks against Microsoft Exchange servers in what is believed to be enterprise-focused attacks.
The researchers said that extracting these sensitive data would give the attackers "access to an inside domain user for the internal mail services of an enterprise" as well as entry to the enterprise's domain certificate. "With system info, the attacker can identify which user is a domain administrator," which would create a dangerous blend of data leakage, wide-range cyber espionage, or information theft. "It also shows that the intended target of this malware is first and foremost enterprises," the researchers added.
The malware is now on version 24. Although the link between Valak, Ursnif, and IcedID is not yet clear, researchers suggest that it may involve "personal ties" and "mutual trust" as the Valak's code implies alleged links to a Russian-speaking underground society.
