Researchers uncovered a sophisticated malware named “Valak” targets Microsoft exchange servers to steal enterprise network credentials, stealing sensitive data, damage the brand reputation, and more.
Valak was initially observed as a malware loader, and it has aggressively evolved within six months since the end of 2019 over 30 different versions.
A most recent version of Valak steal enterprise mailing information, and passwords along with the enterprise certificate and it specifically targeting the enterprises in the US and Germany.
Malware authors developed this variant with the sophisticated evasion techniques such as hiding the ADS and malicious component in the registry and evading the security software detection.
Also, the malware has capable to extend with the number of plugin components for reconnaissance and information stealing, and it collects the plugin modules from the C2 server to enlarge its capabilities.
Malware authors implemented the following feature in the Valak malware:
- Fileless stage – Used to Store the Different Components
- Reconnaissance – Collects the data, network information and the number of infected hosts.
- ScreenCapture – Capturing the infection machine screen
- Download Payload – downloads additional plugins and other malware
- Infiltrates the Exchange Server– collect the sensitive data from the Microsoft Exchange mail system.
Malware Infection Process
Initial stage of infection started via Microsoft Word document with embedded malicous macro code that is used to download the DLL file .cab extension.
Once the DLL has been successfully downloaded, it drops another malicious DLL using “regsvr32.exe”.
The first stage of malware has multi-stage of Attack, in the first stage of the attack, the malware Gaining Initial Foothold of the following way:
In the second stage, malware has attempt to fetching and executing the secondary payloads for reconnaissance activity and to steal sensitive information.
In Plugin modules, malware authors are enhancing its capabilities and the research several different modules of the following.
- Systeminfo: responsible for extensive reconnaissance; targets local and domain admins
- Exchgrabber: aims to steal Microsoft Exchange data and infiltrates the enterprises mail system
- IPGeo: verifies the geolocation of the target
- Procinfo: collects information about the infected machine’s running processes
- Netrecon: performs network reconnaissance
- Screencap: captures screenshots from the infected machine
These modules gathers information about the user and attempts to verify whether this is a local admin or a domain admin.
“This shows that after infecting the machine, Valak chooses to target mainly administrators and domain admins. This indicates a propensity to target higher-profile accounts such as enterprise admins.” Cybereason said.
Researchers also believes that the actors behind this malware team up with other threat actors to create an even more dangerous piece of malware.