Valak 2.0: The malware loader turned information stealer

guest · May 28, 2020

Valak 2.0: The malware loader turned information stealer
The former malware loader has been reengineered to target enterprises
May 28, 2020
https://portswigger.net/daily-swig/valak-2-0-the-malware-loader-turned-information-stealer

The Valak malware loader has been retooled to become a stealthier, more sophisticated class of malware that’s being used for reconnaissance and information stealing, researchers have discovered.

Cybereason’s Nocturnus team witnessed a “a series of dramatic changes” in more than 30 new variants observed in the wild during investigations lasting less than six months, according to a technical blog post published today (May 28).
[...] told The Daily Swig that its creators may have adopted the malware-as-a-service [MaaS] model.
Click to expand...

The new breed of Valak additionally features a fileless stage, which stores components in the registry, takes screenshots, and checks the infected machine’s geolocation.
Two of these addons – ‘Systeminfo’ and ‘Exchgrabber’ – appear to specifically target enterprises, Salem and Rochberger said.
‘Sophisticated, multi-stage modular malware’
First discovered in late 2019, Valak was initially launched against organizations in the US and was often paired with the Ursnif (AKA Gozi) and IcedID banking trojans.

“Valak has evolved from a loader to a sophisticated, multi-stage modular malware that collects plugins from its C2 server to expand its capabilities,” said the researchers, who noted that new variants are being directed at enterprises in Germany as well as the US.
Click to expand...

Cybereason: Cybereason Discovers Valak Malware, an Evasive and Sophisticated Threat to Enterprises in the United States and Germany

Cybereason, creators of the award-winning Cyber Defense Platform,today unveiled new research from its Nocturnus Research team. Titled Valak: More than Meets the Eye, the report is an investigation into an info stealing, data siphoning malware hitting hundreds of enterprises in the United States and Germany.
Click to expand...

Valak: More than Meets the Eye

Targeting Enterprises: More recent versions of Valak target Microsoft Exchange servers to steal enterprise mailing information and passwords along with the enterprise certificate. This has the potential to access critical enterprise accounts, causing damage to organizations, brand degradation, and ultimately a loss of consumer trust.

With a Rich Modular Architecture: Valak’s basic capabilities are extended with a number of plugin components for reconnaissance and information stealing.

Designed for Stealth: Valak is a stealthy malware that uses advanced evasive techniques like ADS and hiding components in the registry. In addition, over time the developers of Valak chose to abandon using PowerShell, which can be detected and prevented by modern security products.

Click to expand...

guest · Jun 9, 2020

Valak malware gets new plugin to steal Outlook login credentials
June 9, 2020
https://www.bleepingcomputer.com/ne...ew-plugin-to-steal-outlook-login-credentials/

Authors of Valak information stealer are focusing more and more on stealing email credentials as researchers find a new module specifically built for this purpose.

The malware emerged in testing mode in mid-October 2019 and has a modular plugin architecture that expands its capabilities to cover the needs of the threat actor.
Reply-chain attacks
Valak has been developed at an accelerated rate, with more than 30 variants being identified in six months. It started as a malware loader that later evolved to an information stealer focusing on enterprise targets.

In a technical analysis published today, researchers at cybersecurity company SentinelOne provide details about a new plugin called “clientgrabber,” whose task is to steal email credentials from the registry of a compromised machine.
Access to user inboxes enables threat actors to run so-called “reply chain attacks,” where they sneak a malicious message into an email thread to deliver malware.
Click to expand...

Valak's clientgrabber
While researching the malware, SentinelOne found the “clientgrabber” plugin that checks for passwords in registry locations related to Microsoft’s Outlook client.
Once identified, the plugin searches for the ‘keys’ and determines the encryption method and if the value contains password data that can be decrypted.

The researchers say that Valak is tightly connected to Gozi malware, known to have a Russian origin, to a degree that the overlapping campaign structure led sandbox analysis solutions to confuse Valak for Gozi.
Click to expand...

SentinelOne: Valak Malware and the Connection to Gozi Loader ConfCrew

Valak uses a multi-stage, script-based malware that hijacks email replies and embeds malicious URLs or attachments to infect devices with fileless scripts.
Click to expand...

guest · Jul 2, 2020

Enterprises in Americas, Europe Targeted With Valak Information Stealer
July 2, 2020
https://www.securityweek.com/enterprises-americas-europe-targeted-valak-information-stealer

Employed in numerous attacks over the past year, Valak is being distributed through malicious spam and typically alongside secondary payloads such as Gozi/Ursnif and IcedID. Campaigns detailed earlier this year revealed a focus on the United States and Germany, but the threat’s reach has expanded.
Over the past several months, the malware has enjoyed increased distribution, with some enterprises targeted repeatedly.

In one of the observed attacks targeting a bank, the adversary sent a reply to a months-old email, and included a password-protected ZIP file and email signatures to provide a sense of legitimacy. Other emails were sent hours later to the same recipient.
Click to expand...

Recently observed campaigns, Talos’ security researchers reveal, targeted sectors such as energy, healthcare, manufacturing, transportation, finance, and insurance.

“This highlights why these campaigns can have a high success rate: They are sent from existing email threads between colleagues or acquaintances. This simple change will greatly increase the likelihood of success. This combined with password-protected ZIP files can defeat a lot of email security and increase the likelihood of the email hitting the target's inbox,” Talos notes.

The campaigns were tracked as far back as early 2020, but most of the attacks (95%) were carried out in May and June. While the attackers don’t send large spam volumes, their technique is believed to have returned a high rate of success.
Click to expand...

Cisco Talos: Threat Spotlight: Valak Slithers Its Way Into Manufacturing and Transportation Networks

Attackers are actively distributing the Valak malware family around the globe, with enterprises, in particular, being targeted.

These campaigns make use of existing email threads from compromised accounts to greatly increase success.

The additional use of password-protected ZIP files can create a blind spot in security protections.

The overwhelming majority of campaigns occurred over the last couple of months and targeted organizations in the financial, manufacturing, health care and insurance verticals.

Click to expand...

guest · Jul 26, 2020

Evolution of Valak, from Its Beginnings to Mass Distribution
July 24, 2020
https://unit42.paloaltonetworks.com/valak-evolution/

First noted in late 2019, Valak is an information stealer and malware loader that has become increasingly common in our threat landscape. From April through June of 2020, we saw waves of Valak malware two to four times a week on average through an email distribution network nicknamed Shathak or TA551.

This blog covers the history of Valak, reviews the chain of events for an infection, examines traffic generated by Valak and explores recent updates in obfuscation techniques used by the malware in order to evade detection. This blog also examines the Shathak/TA551 distribution system that has been consistently pushing Valak since April 2020.
Valak History
Valak was documented as follow-up malware during an Ursnif infection (also known as Gozi or IFSB) on December 19, 2019. Analysis by Cybereason revealed Valak used a combination of techniques to remain persistent on an infected Windows host. Valak relies on scheduled tasks combined with Windows registry updates. It also uses Alternate Data Stream (ADS) during the infection process for follow-up malware. [...]
Click to expand...

Conclusion
As we enter the second half of 2020, Valak shows no signs of slowing down. We expect to see further waves of malspam from Shathak/TA551 distribution pushing Word documents with macros for Valak.
Due to its complex infection process that relies in part on registry updates with malware code, Valak can easily infect an unprotected Windows host. With ADS used to hide follow-up malware from a Valak infection, the risk is greatly increased.

However, security best practices like running fully patched and up-to-date versions of Microsoft Windows will hinder or prevent Valak infections.
Click to expand...

guest · Oct 7, 2020

New Valak Variant Makes “Most Wanted Malware” List for First Time
October 7, 2020
https://www.tripwire.com/state-of-s...akes-most-wanted-malware-list-for-first-time/

An updated variant of the Valak malware family earned a place on a security firm’s “most wanted malware” list for the first time.

Check Point revealed that an updated version of Valak ranked as the ninth most prevalent malware in its Global Threat Index for September 2020.
First detected back in 2019, Valak garnered the attention of Cybereason in May 2020 for its ability to function beyond a malware loader and independently operate as an information stealer.
Click to expand...

Check Point urged organizations to actively respond to these developments by safeguarding their information.

These new campaigns spreading Valak are another example of how threat actors look to maximize their investments in established, proven forms of malware. Together with the updated versions of Qbot which emerged in August, Valak is intended to enable data and credentials theft at scale from organizations and individuals. Businesses should look at deploying anti-malware solutions that can prevent such content reaching end-users, and advise their employees to be cautious when opening emails, even when they appear to be from a trusted source.
Click to expand...

Check Point: September 2020’s Most Wanted Malware: New Info-stealing Valak Variant Enters Top 10 Malware List For First Time

Our latest Global Threat Index for September 2020 has revealed that an updated version of Valak malware has entered the Index for the first time, ranking as the 9th most prevalent malware.
Click to expand...

Log in or Sign up

Valak 2.0: The malware loader turned information stealer

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Log in or Sign up

Valak 2.0: The malware loader turned information stealer

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Useful Searches