Malware named Valak targets Microsoft Exchange servers to steal corporate data: How it works | Instant News

When we first heard about Valak, it was a loader for other threats. Now, six months have passed, malware has turned into an infostealer targeting Microsoft Exchange servers to steal corporate data.

Valak has now been seen in active campaigns focused on enities in the US and Germany. Previously it was used to be bundled with Ursnif and IcedIS banking payloads. When first observed in the second half of 2019, Valak was classified by cybersecurity researchers as a ‘malware loader’. The Cybereason Nocturnus team called Valak “sophisticated”.

The old malware loader has undergone a number of changes with more than 20 revisions that have turned malware from the loader into an independent threat.

The cybersecurity team at Cybereason Nocturnus said on Thursday that Valak was now an “information thief” targeting “individuals and companies”.

How does it work?

Report have it after landing on the machine through a phishing attack through a Microsoft document with a malicious macro, a .DLL file named U.tmp will be downloaded and saved as a temporary folder.

Then, the WinExec API call is made and the JavaScript code is downloaded. This leads to establishing a connection to the command-and-control (C2) server. Additional files are then downloaded and translated with Base64 and the XOR cipher. Then the main cargo is deployed.

This is followed by a registry key and value set and “scheduled tasks are created to maintain persistence on the infected machine”. Valak then downloads and runs additional modules for data snooping and theft.

The two main contents of this malware, project.aspx and a.aspx, have different roles. Project.aspx manages registry keys, scheduling tasks for malicious activity and persistence, while a.aspx (called PluginHost.exe internally) is an “executable” that manages additional components.

The ‘ManagedPlugin’ Valid Module ‘functions as a “system information retrieval that harvests local and domain data”. It has an “Exchgrabber” function that aims to infiltrate Microsoft Exchange by “stealing domain credentials and certificates”. This is also a verification of geolocation, screenshot screenshots and “Netrecon”, which is basically a network surveillance tool. In addition, Valak also explored infected machines for existing antivirus products.

The latest Valid Variant has been found in cases against Microsoft Exchange servers in what can be called “company-focused attacks”.

“Extracting this sensitive data allows an attacker to access inside domain users for a company’s internal email service along with access to the company’s domain certificate,” said cyber security researcher.

They added that – “With systeminfo, an attacker can identify which users are domain administrators. This creates a very dangerous combination of sensitive data leakage and has the potential to spy on or spy on large-scale cyber. This also shows that the intended malware target is the first and leading company. “

Currently in version 24, the Valak link with Ursnif and IcedID has not been fully broken down by cybersecurity researchers. However, they suggested that there might be personal ties and mutual trust in playing between them and that the Valak code indicated “there might be links to underground Russian-speaking communities”.


image source

to request modification Contact us at Here or [email protected]