Valak Info Stealer Rapidly Evolving

Summary

Valak, a sophisticated malware which was previously identified as a malware loader associated with the IcedID and Ursnif trojans, is now a multi-stage modular malware capable of stealing data independently. Researchers at Cybereason examined approximately 30 different versions of the malware targeting enterprises in the US and Germany over the last six months. The most common attack vector used were phishing emails containing a Microsoft Word document embedded with malicious macros. The first stage of infection downloads a .DLL file titled “U.tmp” and establishes connections to command and control (C2) servers, deploying the main payload. The second stage drops a file named “project.aspx” and executes using scheduled tasks for persistence. To avoid detection, Valak employs advanced evasive measures by hiding components in the registry and using the Alternate Data Stream (ADS) feature. Valak is capable of geolocation, screen capture, infiltrating Microsoft Exchange servers, and capturing credentials and various domain certificates. Additionally, a malware module labeled “systeminfo” enables the threat actor to identify and target local and domain administrators.

Recommendations

The NJCCIC reminds users to avoid clicking on links, opening attachments, or enabling macros delivered via emails from unknown senders and exercise caution with emails from known senders. If you are unsure of an email’s legitimacy, contact the sender via a separate means of communication. Additionally, we recommend victims remove any infected devices from the network immediately upon discovery, scan for additional infected devices on the network, change passwords once the device has been cleaned, and enable multi-factor authentication where available. Technical details can be found in the Cybereason blog post and indicators of compromise can be found here.