In late 2019, a new strain of malware called “Valak” was detected. In the six months that followed its initial discovery in the wild, more than 30 variants of the code were detected.
Initially, Valak was classified as a simple loading program.
As various groups have tinkered with the code, it has morphed into a much more significant threat, and is now capable of stealing a wide range of user information. That is, in addition to retaining its original capabilities as a loader.
Researchers from Cybereason have cataloged the recent changes to the code. They found it to be capable of taking screenshots, installing other malicious payloads, and infiltrating Microsoft Exchange servers, which seems to be what it excels at.
Most Valak campaigns begin with an email blast that delivers a Microsoft Word document to unwitting recipients. These documents contain malicious macro codes, which is an old, time-tested strategy.
If anyone clicks on the document and enables macros, that action will trigger the installation of the malware. Chief among the executables run is a file called “PluginHost.exe,” which in turn, runs a number of files, depending on how the Valak software is configured. There are several possibilities here including: Systeminfo, IPGeo, Procinfo, Netrecon, Screencap, and Exchgrabber.
It is this last one that is used on Microsoft Exchange servers and is capable of infiltrating a company’s email system and stealing credentials.
It is the extreme modularity of the malware’s design that makes it a significant threat worth paying close attention to. Cybereason found more than 50 different command and control servers in the wild, each running a different strain of the software, and each with wildly different capabilities. However, they all share a common infrastructure and architecture.
Stay on the alert for this one. We’ll almost certainly be hearing more about it in the weeks and months ahead.