Threat actors have a tendency to hide their malignant programs on computers over multiple stages. Previously classified as a malware loader, the Valak Malware has become a multi-stage modular malware and has evolved sophisticatedly since its advent in 2019.
Earlier this year researchers identified that within the time frame of fewer than six months the Valak malware has had more than 30 updates. And yet, its shares infrastructure like URI similarities, downloaded files or connected files, etc among all the variants that the malware has.
Originally, Valak was identified as a loader for other malware but now it can also be used independently as a malware that steals information from individuals and enterprises. Its new version has the ability to scour the infected devices for any antivirus that has been installed and not just this but it can also collect plugins from the C2 server in order to expand its capabilities. In a move that has vastly improved their evasive techniques, the threat actors have abandoned the open-source power downloaders and progressed to PluginHost as a means of managing and downloading additional payloads. The malware downloads Jscript files and executes them.
To steal enterprise mailing information and credentials along with the enterprise certificate, the most recent variant of the Valak malware targeted administrators on the Microsoft Exchange Servers and Enterprise networks.
The Valak Nightmare
The authors of Valak Malware lure their victims in malware incidents through a phishing campaign. Some of the effects of these campaigns are mentioned below.
- Since its inception in 2019, more than 150 organizations spread across the financial, retail, manufacturing, and health care sectors have been targeted by the Valak Malware.
- In the majority of their attack campaigns, the malware found itself to be paired with Ursnif (aka. Gozi) and IcedID banking Trojan payloads, targeting organizations across the United States and Germany.
- Microsoft word documents embedded with malicious macro code was used by cybercriminals to carry out these phishing attacks.
The Valak malware is the result of meticulous development and a great maintenance effort and in the future, it can evolve into a more sophisticated malware with more stealthy techniques.
Staying Protected
Organizations to string together stringent cybersecurity policies and make cybersecurity awareness mandatory. They should also use a reputable Antivirus solution like eScan to protect their organization’s computing devices. Basic cybersecurity hygiene should be made a part of an employee’s daily routine.
To read more, please check eScan Blog