Valak malware steals credentials from Microsoft Exchange servers

silversurfer

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,154
Content source
https://www.bleepingcomputer.com/news/security/valak-malware-steals-credentials-from-microsoft-exchange-servers/
Classified initially as a malware loader, Valak has morphed into an information stealer that targets Microsoft Exchange servers to rob email login credentials and certificates from enterprises. Its original functionality remains, so it can still deliver other malware (banking trojans Ursnif and IcedID), but it now has plugins to run reconnaissance and steal sensitive info from the target.

Researchers at cybersecurity company Cybereason determined that the capabilities in the latest Valak samples include checking the geographical location of an infected machine, taking screenshots, downloading other payloads (plugins, malware), infiltrating Microsoft Exchange servers.

Valak hides its payloads, command and control (C2) details and other components in the registry. In later stages of the attack, it taps into the cache to pick the tools it needs for various tasks.
Campaigns delivering Valak start with an email delivering a Microsoft Word documents that have malicious macro code inside. The documents are created in the language of the target.
Click to expand...
 
  • Like
  • Thanks
  • +Reputation
Reactions: [correlate], SeriousHoax, struppigel and 6 others
silversurfer

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,154
www.bleepingcomputer.com

Valak malware gets new plugin to steal Outlook login credentials

Authors of the Valak information stealer are focusing more and more on stealing email credentials as researchers find a new module specifically built for this purpose.
www.bleepingcomputer.com www.bleepingcomputer.com
labs.sentinelone.com

Valak Malware and the Connection to Gozi Loader ConfCrew - SentinelLabs

Valak uses a multi-stage, script-based malware that hijacks email replies and embeds malicious URLs or attachments to infect devices with fileless scripts.
labs.sentinelone.com labs.sentinelone.com
 
  • Like
Reactions: [correlate], SeriousHoax, stefanos and 3 others
struppigel

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
security-soup.net

Analysis of Valak Maldoc

Summary The Valak malware variant appears to be an emerging threat due to an increased volume of campaign activity by its operators. Besides its relative newness, Valak is also noteworthy for a few…
security-soup.net security-soup.net

The recent Valak campaigns that I have observed have all been delivered via zipped email attachments that are password protected. The ZIP archive contains a Microsoft Word document that is weaponized with macros. The password is provided in the body of the email. This tactic serves a dual purpose for the threat actor as it enables some basic sandbox evasion, but also supports the social engineering pretext by building trust with the intended victim and appearing more secure.


Many analysts are likely to have access to the original email and thus can easily recover the password. However, in some cases analysts may encounter scenarios where they obtain the ZIP archive containing the maldoc, but do not have access to the email for a variety of reasons whether due to privacy limitations or simply sourcing issues from an online repository or similar. I found myself in this same spot earlier this week. I was working an investigation and had obtained the ZIP, but I could not access the email. I needed to get inside to get a peek at those sweet IOCs.
Click to expand...
 
  • +Reputation
  • Like
Reactions: [correlate], Protomartyr, upnorth and 5 others
[correlate]

[correlate]

Level 18
Top Poster
Well-known
May 4, 2019
801
First noted in late 2019, Valak is an information stealer and malware loader that has become increasingly common in our threat landscape. From April through June of 2020, we saw waves of Valak malware two to four times a week on average through an email distribution network nicknamed Shathak or TA551. Characteristics of Valak include:
Click to expand...
unit42.paloaltonetworks.com

Evolution of Valak, from Its Beginnings to Mass Distribution

Valak is an information stealer and malware loader that has become increasingly common in our threat landscape and is being mass distributed by an actor known as Shathak/TA551.
unit42.paloaltonetworks.com unit42.paloaltonetworks.com
 
  • Like
  • +Reputation
Reactions: upnorth, harlan4096, silversurfer and 1 other person
You must log in or register to reply here.

Similar threads

MuzzMelbourne
    • Like
    • +Reputation
New PowerExchange malware backdoors Microsoft Exchange servers
Replies
0
Views
961
News Archive
MuzzMelbourne
MuzzMelbourne
Gandalf_The_Grey
    • Like
Security News Cyber Safety Review Board Releases Report on Microsoft Online Exchange Incident from Summer 2023
Replies
2
Views
1,256
Security News
Practical Response
Practical Response
Ink
    • Like
New Update Microsoft to shutdown Exchange Web Services (EWS) API from October 1 2026
Replies
0
Views
513
Office, email and business apps
Ink
Ink

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top