Valak malware steals credentials from Microsoft Exchange servers

[silversurfer]

Content source

https://www.bleepingcomputer.com/news/security/valak-malware-steals-credentials-from-microsoft-exchange-servers/

Classified initially as a malware loader, Valak has morphed into an information stealer that targets Microsoft Exchange servers to rob email login credentials and certificates from enterprises. Its original functionality remains, so it can still deliver other malware (banking trojans Ursnif and IcedID), but it now has plugins to run reconnaissance and steal sensitive info from the target.

Researchers at cybersecurity company Cybereason determined that the capabilities in the latest Valak samples include checking the geographical location of an infected machine, taking screenshots, downloading other payloads (plugins, malware), infiltrating Microsoft Exchange servers.

Valak hides its payloads, command and control (C2) details and other components in the registry. In later stages of the attack, it taps into the cache to pick the tools it needs for various tasks.
Campaigns delivering Valak start with an email delivering a Microsoft Word documents that have malicious macro code inside. The documents are created in the language of the target.

 

[silversurfer]

Valak malware gets new plugin to steal Outlook login credentials

Authors of the Valak information stealer are focusing more and more on stealing email credentials as researchers find a new module specifically built for this purpose.

www.bleepingcomputer.com

Valak Malware and the Connection to Gozi Loader ConfCrew - SentinelLabs

Valak uses a multi-stage, script-based malware that hijacks email replies and embeds malicious URLs or attachments to infect devices with fileless scripts.

labs.sentinelone.com

 

[struppigel]

Analysis of Valak Maldoc

Summary The Valak malware variant appears to be an emerging threat due to an increased volume of campaign activity by its operators. Besides its relative newness, Valak is also noteworthy for a few…

security-soup.net

The recent Valak campaigns that I have observed have all been delivered via zipped email attachments that are password protected. The ZIP archive contains a Microsoft Word document that is weaponized with macros. The password is provided in the body of the email. This tactic serves a dual purpose for the threat actor as it enables some basic sandbox evasion, but also supports the social engineering pretext by building trust with the intended victim and appearing more secure.


Many analysts are likely to have access to the original email and thus can easily recover the password. However, in some cases analysts may encounter scenarios where they obtain the ZIP archive containing the maldoc, but do not have access to the email for a variety of reasons whether due to privacy limitations or simply sourcing issues from an online repository or similar. I found myself in this same spot earlier this week. I was working an investigation and had obtained the ZIP, but I could not access the email. I needed to get inside to get a peek at those sweet IOCs.

 

[[correlate]]

First noted in late 2019, Valak is an information stealer and malware loader that has become increasingly common in our threat landscape. From April through June of 2020, we saw waves of Valak malware two to four times a week on average through an email distribution network nicknamed Shathak or TA551. Characteristics of Valak include:

Evolution of Valak, from Its Beginnings to Mass Distribution

Valak is an information stealer and malware loader that has become increasingly common in our threat landscape and is being mass distributed by an actor known as Shathak/TA551.

unit42.paloaltonetworks.com