Valak Loader Revamped to Rob Microsoft Exchange Servers

Phishing campaigns targeting enterprises in U.S. and Germany have been used to nab enterprise mailing info, passwords and certificates.

Threat actors have revamped a popular malware loader into a stealthy infostealer that targets Microsoft Exchange servers to pilfer enterprise mailing information, passwords and enterprise certificates, researchers have found.

Security researchers from Cybereason Nocturnus have discovered Valak, a sophisticated loader previously used to deliver Ursnif and IcedID banking trojans, attached to phishing campaigns specifically targeting enterprises in the United States and Germany.

Valak was first observed as a loader in 2019 but has now gone through “a series of dramatic changes, an evolution of over 30 different versions in less than six months,” Cybereason Nocturnus researchers Eli Salem, Lior Rochberger and Assaf Dahan said in a report posted online Thursday.

“Although initially downloaded as a payload of other malware, in more recent appearances of Valak, the malware appears to come as a standalone unit in traditional phishing campaigns,” researchers wrote.

The new research demonstrates that now, “Valak is more than just a loader for other malware, and can also be used independently as an information-stealer to target individuals and enterprises,” they said.

Stealing Microsoft Exchange information can potentially give bad actors access to critical enterprise accounts, which has the downstream effect of causing financial or other damage to organizations, such as loss of customer trust and faith in a company’s brand or mission, researchers observed.

The new and improved Valak has a modular architecture with various plug-in components that can perform reconnaissance and info-stealing once they infiltrate a Microsoft Exchange server.

The malware is being used in a multi-stage attack that begins with users clicking on a Microsoft Word document—either in English or German, depending on the target—delivered via a phishing email. These documents are embedded with malicious macro codes that deliver a DLL file with .cab extension named “U.tmp,” which is saved into a temporary folder.

Once it is downloaded, the DLL uses “regsvr32.exe” to launch a WinExec API call that downloads JavaScript code, which establishes connections to command-and-control (C2) servers. The action also downloads more files, which are decoded using Base64 and an XOR cipher, to deliver basically two main payloads: Project.aspx and a.aspx.

Each payload has its unique function, researchers said. Project.aspx acts as a manager for registry keys, malicious-task scheduling and persistence on the server, they said.

The latter, which is renamed once it’s deployed as PluginHost.exe, unleashes a series of plug-ins that can perform various nefarious functions on Exchange Server, researchers wrote. These include network reconnaissance, theft of Microsoft Exchange data, infiltration of the enterprise mailing system, collection of information regarding the running processes of the infected machine and screenshot captures.

“Valak has at least six plugin components that enable attackers to obtain sensitive information from its victims,” researchers wrote.

The malware’s new architecture also includes improvements to payload obfuscation techniques, including the ability to hide components in the registry.

The latest version of the malware—which researchers said is version 24—shows attackers abandoning using PowerShell, which also makes Valak less apt to be detected and prevented by modern security products, researchers said.

While the Cybereason team observed Valak being used independently, the malware’s dramatic makeover seems to suggest that the threat actor or actors behind the revamped loader aren’t acting alone, researchers said. Rather, there is evidence of some collaboration “with other threat actors across the E-Crime ecosystem to create an even more dangerous piece of malware,” they wrote.

Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On June 3 at 2 p.m. ET, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, Taming the Unmanaged and IoT Device Tsunami. Get exclusive insights on how to manage this new and growing attack surface. Please register here for this sponsored webinar.

Suggested articles