Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

04:50 PM

Valak Malware Retasked to Steal Data from US, German Firms

Once considered a loader for other malware, Valak regularly conducts reconnaissance and steals information and credentials, new analysis shows.

Over the past six months, a surge of development activity on a malicious program known as Valak — traditionally used for loading other malware on compromised systems — has transformed the software into a tool for reconnaissance and the stealing of credentials and other sensitive information, according to new analysis by Cybereason.

The developers behind the malware have released more than 20 different versions in the past six months, turning the program into a multistage modular framework that can be upgraded with additional functionality through plug-ins. First discovered in late 2019, Valak focuses on administrators on enterprise networks and specifically targets Microsoft Exchange servers, says Assaf Dahan, head of threat research at Cybereason, a threat-protection firm.

"Valak's move to modules that are specifically targeted at enterprises and organizations shows us that the developers are moving away from targeting individuals and are more focused on compromising businesses," he says. "They are doing this on very rapid development cycles — every few days, they are uploading a new version."

While the software is not in widespread use at this point, its trajectory suggests it will become a standard tool for cybercriminals, Dahan says. The operators of Valak originally used the code to download other malware, such as Ursnif or IcedID, but Cybereason has found the relationship between the programs — and their groups — to be more complex, as those programs have also downloaded and installed Valak on other systems. 

The connection between the three programs suggests that Valak's operators may be part of the Russian cybercriminal underground, according to Cybereason's analysis.

"While the nature of the partnership between each of these specific malware is not fully understood, we suspect it is based on personal ties and mutual trust from underground communities," the report states. "Given the fact that both Ursnif and IcedID are considered to be part of the Russian-speaking E-Crime ecosystem, it is possible that the authors of Valak are also part of that Russian-speaking underground community."

The operators behind Valak began by targeting organizations in Germany but have added targets in the US as well. The malware will continue to evolve as the criminals behind them expand their operations, said James McQuiggan, an evangelist for security-awareness firm KnowBe4, in a statement.

"Just like organizations providing a service or product, they are continually updating it to improve the technology or capabilities," he said. "Criminal groups are no different, as seen with Valak. In the past nine months, this malicious software has increased its functions to steal sensitive information and deploy additional malware."

The malware has extensive features for collecting credentials and seems to have a code-specific focus on Microsoft Exchange mail servers. By grabbing sensitive data, the attackers can gain access to the domain user privileges for internal mail services and the company's domain certificate, Cybereason warns in its report. 

"This creates a very dangerous combination of sensitive data leakage and potentially large scale cyber spying or infostealing," the company states. "It also shows that the intended target of this malware is first and foremost enterprises." 

Overall, the malware appears to be the result of significant development effort, and through its modular design can be updated with more features to evade detection and more capabilities for stealing data. Companies should make sure they have the processes and technologies in place to detect the attack, Cybereason's Dahan says.

"Valak is using very stealthy techniques that are not trivial, and antivirus will have trouble catching it," he says. "We are pretty good at predicting which malware is going to turn into a major threat, and we have reason to believe that Valak will become more prominent."

The malware often appears as a Microsoft Office document containing a malicious macro — a popular way for attackers to compromise systems, said security services firm EmberSec in a statement.

"Companies should continue to enforce security best practices, such as email filtering, email attachment analysis, and mandatory employee cybersecurity awareness education," the company said.

Related Content:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Lessons from COVID-19 Cyberattacks: Where Do We Go Next?
Derek Manky, Chief of Security Insights and Global Threat Alliances, FortiGuard Labs,  7/2/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-08
Buffer overflow exists in Geovision Door Access Control device family, an unauthenticated remote attacker can execute arbitrary command.
PUBLISHED: 2020-07-07
An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password.
PUBLISHED: 2020-07-07
Victor CMS through 2019-02-28 allows XSS via the register.php user_firstname or user_lastname field.
PUBLISHED: 2020-07-07
A memory leak in Openthread's wpantund versions up to commit 0e5d1601febb869f583e944785e5685c6c747be7, when used in an environment where wpanctl is directly interfacing with the control driver (eg: debug environments) can allow an attacker to crash the service (DoS). We recommend updating, or to res...
PUBLISHED: 2020-07-07
Gossipsub 1.0 does not properly resist invalid message spam, such as an eclipse attack or a sybil attack.