Initially, Valak malware was a threat loader but lately, it has turned into a full infostealer program and attack US and German companies. Researchers write that over half of a year Valak has received more than 20 updates.
To absolutely gain a foothold in the infected system, the malware makes changes to the registry and creates a scheduled task. After that, Valak proceeds to download and run additional modules that are responsible for detecting and stealing data.
There are two main payloads (project.aspx и a.aspx) with different functions. The first manages registry keys, task scheduling, and malicious activity, and the second (internal name PluginHost.exe) is an executable file for controlling additional malware components.
The module ManagedPlugin has a variety of functions: collects system information (local and domain data); has an Exchgrabber function, the purpose of which is to penetrate Microsoft Exchange by stealing credentials and domain certificates; has a geolocation verifier and screenshot capture function; «Netrecon,» a network intelligence tool.
The researchers say:
«Extracting this sensitive data allows the attacker access to an inside domain user for the internal mail services of an enterprise along with access to the domain certificate of an enterprise. With systeminfo, the attacker can identify which user is a domain administrator. This creates a very dangerous combination of sensitive data leakage and potentially large scale cyber spying or infostealing. It also shows that the intended target of this malware is first and foremost enterprises.»