Valak is an info-stealer malware that has been active since late-2019; however, its activities have amplified recently.

What researchers found?

Being ranked as the 9th most prevalent malware in September 2020, Check Point researchers have reported a sharp rise in the Valak laden cyber attack.
  • The latest versions of this malware targets Microsoft Exchange servers.
  • The cybercriminals specifically hunt down enterprise mailing information, passwords, and enterprise certificates during the attack.
  • Valak becomes a first-time new entrant in the list of the top ten malware that includes the likes of Emotet, Trickbot, Dridex, Agent Tesla, and XMRig.

Additional insight

The top vulnerabilities exploited by the malware include:
  • MVPower DVR Remote Code Execution vulnerability
  • Dasan GPON Router Authentication Bypass (CVE-2018-10561)
  • OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160, CVE-2014-0346).

Previously in action

Last month, the malware operators were found spreading the infection via malspam campaigns, including malicious .doc files.
  • In June 2020, authors of Valak added a new clientgrabber plugin, which could perform the task of stealing email credentials from the registry of the compromised system.
  • In the same month, a Valak campaign was found using document files that contacted PHP delivery proxies to pull down and execute the initial DLL payload.


Cybercriminals are regularly updating their malware with new abilities and features to stay ahead in their game. Therefore, experts recommend deploying anti-malware solutions to prevent and stop such malware. In addition to this, users should stay alert while opening emails or clicking on links.

Cyware Publisher