Valak Malware Continues To Evolve - Now Targets Outlook Login Credentials

Valak, a multi-stage script-based malware of Russian origin, has been developed at an accelerated rate, with more than 30 variants being identified in six months. The malware developers have recently added new updates, making it a more dreadful threat.

Executive summary

Valak malware can hijack email replies and embed malicious URLs or attachments to infect devices with file-less scripts.
  • In June 2020, SentinelOne Labs discovered a new module named “clientgrabber”, specifically built for stealing email credentials from the registry of a compromised machine. It also checks for passwords in registry locations related to Microsoft’s Outlook client.
  • SentinelOne Labs also discovered a plugin named 'exchgrabber' or exchange grabber which enumerates credentials from the Credential Manager, searching Office related credentials.
  • Threat actors harvest emails and use them in ‘Reply Chain Attacks’ to further sneak a malicious message into an email thread to deliver malware.

Valak-Gozi Connection

The Valak malware is connected to Gozi malware to an extent that the overlapping campaign structure led sandbox analysis solutions to misidentify Valak for Gozi due to the similar URL structure.

Campaigns by Gozi malware

The Valak malware was paired with Gozi (aka Ursnif) and IcedID in multiple campaigns primarily targeting the US and Germany.
  • In April 2020, a new variant of Gozi malware targeted multiple industries across Italy and Europe through a malspam campaign adopting new techniques to avoid detection.
  • Also in April 2020, Gozi malware was observed using a new multistage payload distribution technique and shifted from PowerShell to ‘Mshta’ malware to bypass security defenses.

Stay safe

Users should use a reliable anti-malware program to delete or stop the malware from the infected system. Do not install any software through third-party downloaders, installers, from unofficial websites, torrent clients, free file hosting pages, and other such channels.  Do not open emails from the unknown, suspicious addresses.