Pierluigi Paganini
May 28, 2020
The Valak malware completely changed over the past six months, it was first developed to act as a loader, but now it implements also infostealer capabilities.
The malicious code fist appeared in the threat landscape in late 2019, over the past six months experts observed more than 20 versions that finally changing the malware from a loader to an infostealer used in attacks against individuals and enterprise.
“The Valak Malware is a sophisticated malware previously classified as a malware loader. Though it was first observed in late 2019, the Cybereason Nocturnus team has investigated a series of dramatic changes, an evolution of over 30 different versions in less than six months.” reads the analysis published by Cybereason. “This research shows that Valak is more than just a loader for other malware, and can also be used independently as an information stealer to target individuals and enterprises. “
The malicious code was employed in attacks mainly aimed at entities in the US and Germany, in which it was previously bundled with Ursnif and IcedID threats.
The attack chain starts with phishing messages using a weaponized Microsoft Word documents containing malicious macros. Upon enabling the macros, a .DLL file named “U.tmp” is downloaded and saved to a temporary folder.
When the DLL is executed it drops and launches using a WinExec API call. Valak malware uses a malicious JavaScript file with a random name that changes each time it is executed.
The JavaScript code establishes the connections to command-and-control (C2) servers. The scripts also download additional files, decode them using Base64 and an XOR cipher, and then deploy the main payload.
“In the first stage, Valak laid the foundation for the attack. In the second stage, it downloads additional modules for reconnaissance activity and to steal sensitive information.” continues the post.
Valak uses two main payloads, project.aspx and a.aspx, the former ( the second stage JS) manages registry keys, task scheduling for malicious activities, and persistence, whereas the latter, named PluginHost.exe, named “PluginHost.exe”, is an executable file used to manage additional components.
The Valak’s Program class contains the main function of the file main(), which executes the function GetPluginBytes() to download the module components with type “ManagedPlugin”. These components will be loaded reflectively to the executable’s memory and allow the malware to add plugin capabilities.
PluginHost.exe implements multiple functions by loading the specific modules, below a list of modules observed by the experts:
The Systeminfo module contains several reconnaissance functions that allow gathering information about the user, the machine, and existing AV products.
Recent Valak variants have been employed in attacks against Microsoft Exchange servers, likely as part of attacks against enterprises.
“More recent versions of Valak target Microsoft Exchange servers to steal enterprise mailing information and passwords along with the enterprise certificate. This has the potential to access critical enterprise accounts, causing damage to organizations, brand degradation, and ultimately a loss of consumer trust.” concludes the post.
“The extended malware capabilities suggest that Valak can be used independently with or without teaming up with other malware. That being said, it seems as though the threat actor behind Valak is collaborating with other threat actors across the E-Crime ecosystem to create an even more dangerous piece of malware.”
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – Valak, malware)
[adrotate banner=”5″]
[adrotate banner=”13″]
