Valak re-tooled, now hits Microsoft Exchange servers - behaviour-change monitoring advised

News by Rene Millman

Valak malware, once used as a loader for other malware, has been retooled to steal sensitive data and credentials from enterprises, suggesting criminal collaboration, requiring behaviour-change monitoring.

Security researchers have discovered that the Valak malware, once used as a loader for other malware, has been retooled to steal sensitive data and credentials from enterprises.

According to a blog post by Cybereason, the malware has been spotted aiming at Microsoft Exchange servers to pilfer credentials and certificates from German and US enterprises.

The malware was first seen at the back end of 2019 and classified as a loader, delivering other malware such as Ursnif (aka. Gozi) and IcedID. Around 150 firms in the financial, retail, manufacturing, and health care sectors have been targeted by the malware since its launch.

While its loading capabilities are still there, it has changed over the last few months with more than 30 different versions of the malware available to cybercriminals. One of those versions has been designed to penetrate Microsoft Exchange servers. An initial campaign sees hackers send an email with a Microsoft Word document to a potential victim. This contains malicious code created in the language of the target.

When opened, the malicious code installs a dynamic-link library (DLL) file with a CAB extension file named "U.tmp," which is saved in a temporary folder. When executed, the DLL drops and launches using a WinExec API call. This stage of the Valak malware uses a malicious JavaScript file with a random name that changes per execution.

It then makes calls to various C2 servers and downloads two encrypted files; "project.aspx" and "a.aspx", which serve distinct purposes. The former maintains persistence on a system and install additional payloads. The latter is used to manage additional components. These additional components can carry out reconnaissance, verify geolocation details, and steal Microsoft Exchange data.

“The extended malware capabilities suggest that Valak can be used independently with or without teaming up with other malware. That being said, it seems as though the threat actor behind Valak is collaborating with other threat actors across the E-Crime ecosystem to create an even more dangerous piece of malware,” said researchers.

Paul Hague, founder and CEO of BlackDice, told SC Media UK that attacks are not only becoming more sophisticated, but this clearly shows they are becoming quicker to respond the cyber ‘cat and mouse’ game.

"Organisations really need to have monitoring solutions in place. Machines infected are certainly changing behaviour and that has to be monitored, but it’s after the fact. We really need to address the predictive side to this, some of the features are well known as is the infrastructure used, for example, C2 servers,” he said.

"Organisations need to understand threats, where they come from, and how they mature over time. If all you are doing is monitoring internally then all you are doing is trying to close  the stable door once the horse has bolted, monitoring the external environment for external indicators of potential compromise is the only way to build resilience, as with our current situation we need a vaccine, not a cure."

Bogdan Botezatu, director of Threat Research & Reporting at Bitdefender, told SC Media UK that it is important for an organisation not only to protect endpoints from compromise and prevent the leak of log-in data, but it is also important for companies to become aware of when employee information has made it on the web.

“Most cyber-security companies offer a service called "digital identity protection" that notifies users or employees when their e-mail address and other privately identifiable information (including passwords) are being transacted on the dark web. An early warning would help system administrators reset the credentials and minimise the vulnerability window for the compromised account,” he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews