tech

A malware called Valak is targeting Microsoft Exchange servers to steal enterprise data: How it works

Valak has evolved over the past six months and is no longer just a loader for other threats. It's an individual threat. 

When it was first observed in the later half of 2019, Valak was classified by cybersecurity researchers as a ‘malware loader’. The Cybereason Nocturnus team called Valak ‘sophisticated’.
When it was first observed in the later half of 2019, Valak was classified by cybersecurity researchers as a ‘malware loader’. The Cybereason Nocturnus team called Valak ‘sophisticated’. (Pixabay)

When we first heard about Valak, it was a loader for other threats. Now, six months on, the malware had turned into an infostealer that is targeting Microsoft Exchange servers to steal enterprise data.

Valak has now been spotted in active campaigns focusing on enities in the US and Germany. Earlier it used to bundled with Ursnif and IcedIS banking Trojan payloads. When it was first observed in the later half of 2019, Valak was classified by cybersecurity researchers as a ‘malware loader’. The Cybereason Nocturnus team called Valak ‘sophisticated’.

The erstwhile malware loader has undergone a whole host of changes with over 20 revisions that have changed the malware from a loader to an independent threat.

The cybersecurity team at Cybereason Nocturnus said on Thursday that Valak is now an “information stealer” that targets “individuals and enterprises”.

How does it work?

Reports have it that after landing on a machine through a phishing attack via Microsoft documents with malicious macros, a .DLL file called U.tmp gets downloaded and saved as a temporary folder.

Then, a WinExec API call is made and a JavaScript code is downloaded. This leads to the creation of connections to command-and-control (C2) servers. Additional files then get downloaded and decoded with Base64 and an XOR cipher. Then the main payload is deployed.

This is followed by registry keys and values being set and a “scheduled task is created to maintain persistence on an infected machine”. Valak then downloads and executes additional modules for reconnaissance and data theft.

The two main payloads on this malware, project.aspx and a.aspx, have different roles. Project.aspx manages registry keys, task scheduling for malicious activities and persistence, while a.aspx (called PluginHost.exe internally) is an “executable” that managed additional components.

Valak’s ‘ManagedPlugin’ module functions as a “system information grabber that harvests local and domain data”. It has a “Exchgrabber” function that aims to infiltrate Microsoft Exchange by “stealing credentials and domain certificates”. It is also a geolocation verifier, a screenshot capturer and a “Netrecon”, which is basically a network reconnaissance tool. Additionally, Valak also scours infected machines for existing antivirus products.

The most recent Valak variants have been spotted in cases against Microsoft Exchange servers in what can be called “enterprise-focused attacks”.

"Extracting this sensitive data allows the attacker access to an inside domain user for the internal mail services of an enterprise along with access to the domain certificate of an enterprise,” cyber security researchers said.

They added that - "With systeminfo, the attacker can identify which user is a domain administrator. This creates a very dangerous combination of sensitive data leakage and potentially large scale cyber spying or infostealing. It also shows that the intended target of this malware is first and foremost enterprises."

Currently on version 24, Valak’s link with Ursnif and IcedID has not entirely been deciphered by the cybersecurity researchers. They, however, suggest that there might be personal ties and mutual trust in play between them and that Valak’s code indicates “there may be links to the Russian-speaking underground community”.