Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

04:50 PM

Valak Malware Retasked to Steal Data from US, German Firms

Once considered a loader for other malware, Valak regularly conducts reconnaissance and steals information and credentials, new analysis shows.

Over the past six months, a surge of development activity on a malicious program known as Valak — traditionally used for loading other malware on compromised systems — has transformed the software into a tool for reconnaissance and the stealing of credentials and other sensitive information, according to new analysis by Cybereason.

The developers behind the malware have released more than 20 different versions in the past six months, turning the program into a multistage modular framework that can be upgraded with additional functionality through plug-ins. First discovered in late 2019, Valak focuses on administrators on enterprise networks and specifically targets Microsoft Exchange servers, says Assaf Dahan, head of threat research at Cybereason, a threat-protection firm.

"Valak's move to modules that are specifically targeted at enterprises and organizations shows us that the developers are moving away from targeting individuals and are more focused on compromising businesses," he says. "They are doing this on very rapid development cycles — every few days, they are uploading a new version."

While the software is not in widespread use at this point, its trajectory suggests it will become a standard tool for cybercriminals, Dahan says. The operators of Valak originally used the code to download other malware, such as Ursnif or IcedID, but Cybereason has found the relationship between the programs — and their groups — to be more complex, as those programs have also downloaded and installed Valak on other systems. 

The connection between the three programs suggests that Valak's operators may be part of the Russian cybercriminal underground, according to Cybereason's analysis.

"While the nature of the partnership between each of these specific malware is not fully understood, we suspect it is based on personal ties and mutual trust from underground communities," the report states. "Given the fact that both Ursnif and IcedID are considered to be part of the Russian-speaking E-Crime ecosystem, it is possible that the authors of Valak are also part of that Russian-speaking underground community."

The operators behind Valak began by targeting organizations in Germany but have added targets in the US as well. The malware will continue to evolve as the criminals behind them expand their operations, said James McQuiggan, an evangelist for security-awareness firm KnowBe4, in a statement.

"Just like organizations providing a service or product, they are continually updating it to improve the technology or capabilities," he said. "Criminal groups are no different, as seen with Valak. In the past nine months, this malicious software has increased its functions to steal sensitive information and deploy additional malware."

The malware has extensive features for collecting credentials and seems to have a code-specific focus on Microsoft Exchange mail servers. By grabbing sensitive data, the attackers can gain access to the domain user privileges for internal mail services and the company's domain certificate, Cybereason warns in its report. 

"This creates a very dangerous combination of sensitive data leakage and potentially large scale cyber spying or infostealing," the company states. "It also shows that the intended target of this malware is first and foremost enterprises." 

Overall, the malware appears to be the result of significant development effort, and through its modular design can be updated with more features to evade detection and more capabilities for stealing data. Companies should make sure they have the processes and technologies in place to detect the attack, Cybereason's Dahan says.

"Valak is using very stealthy techniques that are not trivial, and antivirus will have trouble catching it," he says. "We are pretty good at predicting which malware is going to turn into a major threat, and we have reason to believe that Valak will become more prominent."

The malware often appears as a Microsoft Office document containing a malicious macro — a popular way for attackers to compromise systems, said security services firm EmberSec in a statement.

"Companies should continue to enforce security best practices, such as email filtering, email attachment analysis, and mandatory employee cybersecurity awareness education," the company said.

Related Content:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox."
PUBLISHED: 2020-10-21
BigBlueButton before 2.2.8 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store the audio data and/or tr...
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document.
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant.