Over the past six months, a surge of development activity on a malicious program known as Valak — traditionally used for loading other malware on compromised systems — has transformed the software into a tool for reconnaissance and the stealing of credentials and other sensitive information, according to new analysis by Cybereason.
The developers behind the malware have released more than 20 different versions in the past six months, turning the program into a multistage modular framework that can be upgraded with additional functionality through plug-ins. First discovered in late 2019, Valak focuses on administrators on enterprise networks and specifically targets Microsoft Exchange servers, says Assaf Dahan, head of threat research at Cybereason, a threat-protection firm.
"Valak's move to modules that are specifically targeted at enterprises and organizations shows us that the developers are moving away from targeting individuals and are more focused on compromising businesses," he says. "They are doing this on very rapid development cycles — every few days, they are uploading a new version."
While the software is not in widespread use at this point, its trajectory suggests it will become a standard tool for cybercriminals, Dahan says. The operators of Valak originally used the code to download other malware, such as Ursnif or IcedID, but Cybereason has found the relationship between the programs — and their groups — to be more complex, as those programs have also downloaded and installed Valak on other systems.
The connection between the three programs suggests that Valak's operators may be part of the Russian cybercriminal underground, according to Cybereason's analysis.
"While the nature of the partnership between each of these specific malware is not fully understood, we suspect it is based on personal ties and mutual trust from underground communities," the report states. "Given the fact that both Ursnif and IcedID are considered to be part of the Russian-speaking E-Crime ecosystem, it is possible that the authors of Valak are also part of that Russian-speaking underground community."
The operators behind Valak began by targeting organizations in Germany but have added targets in the US as well. The malware will continue to evolve as the criminals behind them expand their operations, said James McQuiggan, an evangelist for security-awareness firm KnowBe4, in a statement.
"Just like organizations providing a service or product, they are continually updating it to improve the technology or capabilities," he said. "Criminal groups are no different, as seen with Valak. In the past nine months, this malicious software has increased its functions to steal sensitive information and deploy additional malware."
The malware has extensive features for collecting credentials and seems to have a code-specific focus on Microsoft Exchange mail servers. By grabbing sensitive data, the attackers can gain access to the domain user privileges for internal mail services and the company's domain certificate, Cybereason warns in its report.
"This creates a very dangerous combination of sensitive data leakage and potentially large scale cyber spying or infostealing," the company states. "It also shows that the intended target of this malware is first and foremost enterprises."
Overall, the malware appears to be the result of significant development effort, and through its modular design can be updated with more features to evade detection and more capabilities for stealing data. Companies should make sure they have the processes and technologies in place to detect the attack, Cybereason's Dahan says.
"Valak is using very stealthy techniques that are not trivial, and antivirus will have trouble catching it," he says. "We are pretty good at predicting which malware is going to turn into a major threat, and we have reason to believe that Valak will become more prominent."
The malware often appears as a Microsoft Office document containing a malicious macro — a popular way for attackers to compromise systems, said security services firm EmberSec in a statement.
"Companies should continue to enforce security best practices, such as email filtering, email attachment analysis, and mandatory employee cybersecurity awareness education," the company said.