Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

04:50 PM

Valak Malware Retasked to Steal Data from US, German Firms

Once considered a loader for other malware, Valak regularly conducts reconnaissance and steals information and credentials, new analysis shows.

Over the past six months, a surge of development activity on a malicious program known as Valak — traditionally used for loading other malware on compromised systems — has transformed the software into a tool for reconnaissance and the stealing of credentials and other sensitive information, according to new analysis by Cybereason.

The developers behind the malware have released more than 20 different versions in the past six months, turning the program into a multistage modular framework that can be upgraded with additional functionality through plug-ins. First discovered in late 2019, Valak focuses on administrators on enterprise networks and specifically targets Microsoft Exchange servers, says Assaf Dahan, head of threat research at Cybereason, a threat-protection firm.

"Valak's move to modules that are specifically targeted at enterprises and organizations shows us that the developers are moving away from targeting individuals and are more focused on compromising businesses," he says. "They are doing this on very rapid development cycles — every few days, they are uploading a new version."

While the software is not in widespread use at this point, its trajectory suggests it will become a standard tool for cybercriminals, Dahan says. The operators of Valak originally used the code to download other malware, such as Ursnif or IcedID, but Cybereason has found the relationship between the programs — and their groups — to be more complex, as those programs have also downloaded and installed Valak on other systems. 

The connection between the three programs suggests that Valak's operators may be part of the Russian cybercriminal underground, according to Cybereason's analysis.

"While the nature of the partnership between each of these specific malware is not fully understood, we suspect it is based on personal ties and mutual trust from underground communities," the report states. "Given the fact that both Ursnif and IcedID are considered to be part of the Russian-speaking E-Crime ecosystem, it is possible that the authors of Valak are also part of that Russian-speaking underground community."

The operators behind Valak began by targeting organizations in Germany but have added targets in the US as well. The malware will continue to evolve as the criminals behind them expand their operations, said James McQuiggan, an evangelist for security-awareness firm KnowBe4, in a statement.

"Just like organizations providing a service or product, they are continually updating it to improve the technology or capabilities," he said. "Criminal groups are no different, as seen with Valak. In the past nine months, this malicious software has increased its functions to steal sensitive information and deploy additional malware."

The malware has extensive features for collecting credentials and seems to have a code-specific focus on Microsoft Exchange mail servers. By grabbing sensitive data, the attackers can gain access to the domain user privileges for internal mail services and the company's domain certificate, Cybereason warns in its report. 

"This creates a very dangerous combination of sensitive data leakage and potentially large scale cyber spying or infostealing," the company states. "It also shows that the intended target of this malware is first and foremost enterprises." 

Overall, the malware appears to be the result of significant development effort, and through its modular design can be updated with more features to evade detection and more capabilities for stealing data. Companies should make sure they have the processes and technologies in place to detect the attack, Cybereason's Dahan says.

"Valak is using very stealthy techniques that are not trivial, and antivirus will have trouble catching it," he says. "We are pretty good at predicting which malware is going to turn into a major threat, and we have reason to believe that Valak will become more prominent."

The malware often appears as a Microsoft Office document containing a malicious macro — a popular way for attackers to compromise systems, said security services firm EmberSec in a statement.

"Companies should continue to enforce security best practices, such as email filtering, email attachment analysis, and mandatory employee cybersecurity awareness education," the company said.

Related Content:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.
PUBLISHED: 2021-05-14
A heap buffer overflow read was discovered in upx 4.0.0, because the check in p_lx_elf.cpp is not perfect.
PUBLISHED: 2021-05-14
A Zip Slip vulnerability was found in the oc binary in openshift-clients where an arbitrary file write is achieved by using a specially crafted raw container image (.tar file) which contains symbolic links. The vulnerability is limited to the command `oc image extract`. If a symbolic link is first c...