Cybereason has unveiled new research from its Nocturnus Research team. Titled Valak: More than Meets the Eye, the report is an investigation into an info stealing, data siphoning malware hitting hundreds of enterprises in the United States and Germany. The sophisticated malware, discovered in late 2019, collects and steals sensitive information from the Microsoft Exchange mail system, including credentials and the domain certificate and uses evasive techniques to avoid detection and has evolved from being a malware loader into an information stealer.
To date, more than 30 versions of the malware have been found, revealing tremendous improvements in a very short period of time. Valak contains a fileless stage in which it uses the registry to store different components, it collects user, machine, and network information from infected hosts, can check the geo-location of the victim’s machine and take screenshots of infected machines.
Other key findings:
- Targeting enterprises: More recent versions of Valak target Microsoft Exchange servers to steal enterprise mailing information and passwords along with the enterprise certificate. This has the potential to access critical enterprise accounts, causing damage to organisations, brand degradation, and ultimately a loss of consumer trust.
- Rich modular architecture: Valak’s basic capabilities are extended with a number of plugin components for reconnaissance and information stealing.
- Fast development cycles: Valak has evolved from a loader to a sophisticated, multi-stage modular malware that collects plugins from its C2 server to expand its capabilities. The Cybereason Nocturnus team has observed over 30 different versions in about six months.
- Designed for stealth: Valak uses advanced evasive techniques like ADS and hiding components in the registry. In addition, over time the developers of Valak chose to abandon using PowerShell, which can be detected and prevented by modern security products.
“Over the course of six months, Valak’s developers made tremendous progress and released more than 30 versions of the malware. Each time, they extended the malware’s capabilities and added evasive techniques to improve its stealth. Valak has at least six plugin components that enable attackers to obtain sensitive information from its victims. The threat actor behind Valak is collaborating with other criminals across the E-Crime ecosystem to create an even more dangerous piece of malware,” said Assaf Dahan, Senior Director, Head of Threat Research, Cybereason.