Multi-Stage Variant of Valak Malware Targets Enterprise Data

Hackers often plant their malicious programs on computers over multiple stages. The Valak Malware, previously classified as a malware loader, has become a multi-stage modular malware and has become way more sophisticated since its origin in late 2019.

Key findings

In May 2020, Cybereason researchers identified that Valak malware has undergone 30-plus updates in less than six months. Still, it shares infrastructure (like URIs similarities, downloaded files, or connected files, etc.) among almost all of its different versions.
  • Valak has now become a multi-stage modular malware. Valak was originally identified as a loader for other malware. But now it can also be used independently as an information stealer to target individuals and enterprises. The new version can also scour the infected machines for existing antivirus products. It can also collect plugins from its C2 server to expand its capabilities.
  • To improve their evasion techniques, the hackers have abandoned the open-source PowerShell downloader and transitioned to PluginHost as a means of managing and downloading additional payloads. The malware downloads JScript files and executes them.
  • The most recent Valak variants targeted administrators on enterprise networks and Microsoft Exchange servers to steal enterprise mailing information and credentials along with the enterprise certificate.

Observations from the past incident 

The phishing campaign lures uses in other malware indicidents that the authors of Valak are part of a Russian-speaking hacking group.
  • About 150 organizations in the financial, retail, manufacturing, and health care sectors have been targeted by the Valak malware since its inception in 2019.
  • In a majority of campaigns, it mainly attacked entities in the US and Germany. It was often paired up with Ursnif (aka. Gozi) and IcedID banking Trojan payloads.
  • The cybercriminals were observed launching phishing attacks to deploy the malware using Microsoft Word documents embedded with malicious macro code.

Worth noting

Overall, the malware appears to be the result of fastidious development and maintenance effort, and in the future, its modular design can be updated with more features to evade detection and more stealthy techniques.

Stay safe

Companies should enforce security best practices, such as email filtering, email attachment analysis, and mandatory employee cybersecurity awareness education. Users should use a reputable anti-spyware or antivirus software to scan their computers. Do not open or click email attachments (or links in emails) received from unknown, suspicious, and irrelevant addresses.