HT TECH wants to start sending you push notifications. Click allow to subscribe

A malware called Valak is targeting Microsoft Exchange servers to steal enterprise data: How it works

Valak has evolved over the past six months and is no longer just a loader for other threats. It's an individual threat. 

By: HT TECH
Updated on: Aug 20 2022, 21:11 IST
When it was first observed in the later half of 2019, Valak was classified by cybersecurity researchers as a ‘malware loader’. The Cybereason Nocturnus team called Valak ‘sophisticated’. (Pixabay)
When it was first observed in the later half of 2019, Valak was classified by cybersecurity researchers as a ‘malware loader’. The Cybereason Nocturnus team called Valak ‘sophisticated’. (Pixabay)

When we first heard about Valak, it was a loader for other threats. Now, six months on, the malware had turned into an infostealer that is targeting Microsoft Exchange servers to steal enterprise data.

Valak has now been spotted in active campaigns focusing on enities in the US and Germany. Earlier it used to bundled with Ursnif and IcedIS banking Trojan payloads. When it was first observed in the later half of 2019, Valak was classified by cybersecurity researchers as a ‘malware loader’. The Cybereason Nocturnus team called Valak ‘sophisticated’.

You may be interested in

Mobiles Tablets Laptops
7% OFF
Apple iPhone 15 Pro Max
  • Black Titanium
  • 8 GB RAM
  • 256 GB Storage
₹148,900₹159,900
Buy now
28% OFF
Samsung Galaxy S23 Ultra 5G
  • Green
  • 12 GB RAM
  • 256 GB Storage
₹107,999₹149,999
Buy now
Google Pixel 8 Pro
  • Obsidian
  • 12 GB RAM
  • 128 GB Storage
₹106,998
Check details
Apple iPhone 15 Plus
  • Black
  • 6 GB RAM
  • 128 GB Storage
₹87,900
Check details
21% OFF
Acer Swift Go SFG14 41 NX KG3SI 002 Laptop
  • Pure Silver
  • 8 GB RAM
  • 512 GB SSD
₹58,999₹74,999
Buy now
39% OFF
Acer Aspire 5 A515 57G Laptop
  • Gray
  • 16 GB RAM
  • 512 GB SSD
₹54,949₹89,999
Buy now
22% OFF
Acer Aspire 3 A315 24 NX KDESI 004 Laptop
  • Silver
  • 8 GB RAM
  • 512 GB SSD
₹33,499₹42,999
Buy now
40% OFF
Asus VivoBook 15 X515JA BQ322WS Laptop
  • Transparent Silver
  • 8 GB RAM
  • 512 GB SSD
₹31,350₹51,990
Buy now
34% OFF
Xiaomi Pad 6
  • Mist Blue
  • 6 GB RAM
  • 128 GB Storage
₹26,299₹39,999
Buy now
55% OFF
Lenovo Tab M10 5G
  • Abyss Blue
  • 6 GB RAM
  • 128 GB Storage
₹20,999₹47,000
Buy now
32% OFF
Realme Pad 2
  • Imagination Grey
  • 6 GB RAM
  • 128 GB Storage
₹19,749₹28,999
Buy now
Honor Pad X9
  • Gray
  • 4 GB RAM
  • 128 GB Storage
₹14,999
Check details

The erstwhile malware loader has undergone a whole host of changes with over 20 revisions that have changed the malware from a loader to an independent threat.

The cybersecurity team at Cybereason Nocturnus said on Thursday that Valak is now an “information stealer” that targets “individuals and enterprises”.

How does it work?

Reports have it that after landing on a machine through a phishing attack via Microsoft documents with malicious macros, a .DLL file called U.tmp gets downloaded and saved as a temporary folder.

Then, a WinExec API call is made and a JavaScript code is downloaded. This leads to the creation of connections to command-and-control (C2) servers. Additional files then get downloaded and decoded with Base64 and an XOR cipher. Then the main payload is deployed.

This is followed by registry keys and values being set and a “scheduled task is created to maintain persistence on an infected machine”. Valak then downloads and executes additional modules for reconnaissance and data theft.

The two main payloads on this malware, project.aspx and a.aspx, have different roles. Project.aspx manages registry keys, task scheduling for malicious activities and persistence, while a.aspx (called PluginHost.exe internally) is an “executable” that managed additional components.

Valak’s ‘ManagedPlugin’ module functions as a “system information grabber that harvests local and domain data”. It has a “Exchgrabber” function that aims to infiltrate Microsoft Exchange by “stealing credentials and domain certificates”. It is also a geolocation verifier, a screenshot capturer and a “Netrecon”, which is basically a network reconnaissance tool. Additionally, Valak also scours infected machines for existing antivirus products.

The most recent Valak variants have been spotted in cases against Microsoft Exchange servers in what can be called “enterprise-focused attacks”.

"Extracting this sensitive data allows the attacker access to an inside domain user for the internal mail services of an enterprise along with access to the domain certificate of an enterprise,” cyber security researchers said.

They added that - "With systeminfo, the attacker can identify which user is a domain administrator. This creates a very dangerous combination of sensitive data leakage and potentially large scale cyber spying or infostealing. It also shows that the intended target of this malware is first and foremost enterprises."

Currently on version 24, Valak’s link with Ursnif and IcedID has not entirely been deciphered by the cybersecurity researchers. They, however, suggest that there might be personal ties and mutual trust in play between them and that Valak’s code indicates “there may be links to the Russian-speaking underground community”.

Follow HT Tech for the latest tech news and reviews , also keep up with us on ,Twitter, Facebook, , and Instagram. For our latest videos, subscribe to our YouTube channel.

First Published Date: 29 May, 09:25 IST
Tags:

Sale

Mobiles Tablets Laptops
28% OFF
Samsung Galaxy S23 Ultra 5G
  • Green
  • 12 GB RAM
  • 256 GB Storage
₹107,999₹149,999
Buy now
10% OFF
Apple iPhone 15 Plus
  • Black
  • 6 GB RAM
  • 128 GB Storage
₹80,990₹89,900
Buy now
37% OFF
Samsung Galaxy S23 Plus 5G
  • Phantom Black
  • 8 GB RAM
  • 256 GB Storage
₹95,000₹149,999
Buy now
3% OFF
Samsung Galaxy Z Fold5
  • Icy Blue
  • 12 GB RAM
  • 256 GB Storage
₹154,999₹159,999
Buy now
33% OFF
Xiaomi Pad 6
  • Mist Blue
  • 6 GB RAM
  • 128 GB Storage
₹26,999₹39,999
Buy now
32% OFF
Realme Pad 2
  • Imagination Grey
  • 6 GB RAM
  • 128 GB Storage
₹19,719₹28,999
Buy now
47% OFF
Lenovo Tab M9
  • Frost Blue
  • 3 GB RAM
  • 32 GB Storage
₹8,999₹17,000
Buy now
57% OFF
Honor Pad X8
  • Blue Hour
  • 3 GB RAM
  • 32 GB Storage
₹8,999₹20,999
Buy now
31% OFF
Acer Aspire 3 A315 24 NX KDESI 004 Laptop
  • Silver
  • 8 GB RAM
  • 512 GB SSD
₹30,990₹44,999
Buy now
21% OFF
Acer Swift Go SFG14 41 NX KG3SI 002 Laptop
  • Pure Silver
  • 8 GB RAM
  • 512 GB SSD
₹58,990₹74,999
Buy now
43% OFF
Acer Aspire 5 A515 57G Laptop
  • Gray
  • 16 GB RAM
  • 512 GB SSD
₹51,250₹89,990
Buy now
39% OFF
Asus VivoBook 15 X515JA BQ322WS Laptop
  • Transparent Silver
  • 8 GB RAM
  • 512 GB SSD
₹31,790₹51,990
Buy now
NEXT ARTICLE BEGINS