silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,207
Classified initially as a malware loader, Valak has morphed into an information stealer that targets Microsoft Exchange servers to rob email login credentials and certificates from enterprises. Its original functionality remains, so it can still deliver other malware (banking trojans Ursnif and IcedID), but it now has plugins to run reconnaissance and steal sensitive info from the target.
Researchers at cybersecurity company Cybereason determined that the capabilities in the latest Valak samples include checking the geographical location of an infected machine, taking screenshots, downloading other payloads (plugins, malware), infiltrating Microsoft Exchange servers.
Valak hides its payloads, command and control (C2) details and other components in the registry. In later stages of the attack, it taps into the cache to pick the tools it needs for various tasks.
Campaigns delivering Valak start with an email delivering a Microsoft Word documents that have malicious macro code inside. The documents are created in the language of the target.