Cybercrime , Fraud Management & Cybercrime , Fraud Risk Management

Revamped Valak Malware Targets Exchange Servers

Malware, Now Acting as an Infostealer, Spotted in US and Germany: Cybereason
Revamped Valak Malware Targets Exchange Servers

A recently revamped version of the Valak strain of malware is targeting Microsoft Exchange servers in the U.S. and Germany, according to the security firm Cybereason.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

First spotted in late 2019, Valak was originally designed as a malware loader that could deliver banking Trojans such as Ursnif and IcedID to infected devices. In the more recent modifications, however, the creators of Valak have revamped the malware to act more as an information stealer capable of exfiltrating data from corporate user accounts, according to the Cybereason Nocturnus research team.

The attackers are distributing Valak through phishing emails with malicious attached documents, the researchers say. Once a device is infected, the information stealer has the ability to exfiltrate data, such as details about the Exchange mail system, user's credentials and the domain certificate, according the Cybereason research report. It also has the ability to take screenshots as well as relay details about the device and network back to the attackers.

"This has the potential to access critical enterprise accounts, causing damage to organizations, brand degradation, and ultimately a loss of consumer trust," Cybereason says.

By targeting Exchange servers, the Cybereason researchers note, the attackers using Valak apparently are aiming to steal high-level enterprise data.

"This creates a very dangerous combination of sensitive data leakage and potentially large-scale cyber spying or infostealing. It also shows that the intended target of this malware is first and foremost enterprises," the Cybereason report states.

Updated Capabilities

In the last six months, researchers have found over 30 versions of Valak in the wild. The developers behind the malware have extended its capabilities by adding plug-in components, according to the report.

For instance, one recent version of Valak contains a component called "PluginHost," which enables the malware to communicate with the command-and-control server as well as download additional plugins. This also gives Valak the ability to deliver additional malware to an infected device or network, the Cybereason researchers say.

Researchers also note that the developers of Valak abandoned the PowerShell downloader and are now using the PluginHost host component to help deliver and then control the malware on a device. This seems to indicate that the attackers are trying to ensure that the malware avoids detection by security tools, according to the report.

Newer versions of Valak also use advanced evasive techniques, such as alternate data streams to help hide malicious files and multiple obfuscation methods.

"Over the course of roughly six months, Valak's developers made tremendous progress and released more than 30 different versions. Each version extended the malware's capabilities and added evasive techniques to improve its stealth," Cybereason researchers say.

Multistage Attack

Valak works through a multistage attack, laying the foundation in the first stage and then downloading additional modules for system reconnaissance and information stealing in the second stage, researchers note.

First, the malware is spread using phishing emails that contain malicious Microsoft Word documents with hidden macro code, according to the report. The documents are in English or German, depending on the target.

When opened, the malicious macro code installs a dynamic-link library (DLL) file with a CAB extension file named "U.tmp," which is saved in a temporary folder. The DLL then uses a WinExec API to download Javascript code that eventually connects to the command-and-control server, the report notes.

The malware connects to the separate command-and-control servers and then downloads two encoded files, which are then encrypted using base64 and XOR cipher algorithms. These two files, "project.aspx" and "a.aspx," serve separate purposes.

The project.aspx file is used to maintain persistence in the system by installing additional plugins and payloads from command-and-control server and saving them as alternate data streams to hide them, according to the report.

The second file, a.aspx, is saved in the temporary folder and is used to manage additional components, the report says. These components are responsible for reconnaissance, stealing Microsoft Exchange data, verifying geolocation, collecting information on the system's processes and capturing screenshots, the researchers say.

About the Author

Ishita Chigilli Palli

Ishita Chigilli Palli

Senior Correspondent, Global News Desk

As senior correspondent for Information Security Media Group's global news desk, Ishita covers news worldwide. She previously worked at Thomson Reuters, where she specialized in reporting breaking news stories on a variety of topics.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.