Now Valak turned into an infostealer

Initially, Valak malware was a threat loader but lately, it has turned into a full infostealer program and attack US and German companies. Researchers write that over half of a year Valak has received more than 20 updates.
The malware spreads through phishing attacks via Microsoft Word documents with malicious macros. If the malware penetrated the system, a .DLL file with the name U.tmp is downloaded to the infected machine and saved in a temporary folder. Then the WinExec API call is made and the JavaScript code is loaded, establishing a connection with the management servers. After that, additional files are downloaded to the infected host, which are decoded using Base64 and XOR cipher, and the main payload is then deployed.

To absolutely gain a foothold in the infected system, the malware makes changes to the registry and creates a scheduled task. After that, Valak proceeds to download and run additional modules that are responsible for detecting and stealing data.

There are two main payloads (project.aspx и a.aspx) with different functions. The first manages registry keys, task scheduling, and malicious activity, and the second (internal name PluginHost.exe) is an executable file for controlling additional malware components.

The module ManagedPlugin has a variety of functions: collects system information (local and domain data); has an Exchgrabber function, the purpose of which is to penetrate Microsoft Exchange by stealing credentials and domain certificates; has a geolocation verifier and screenshot capture function; «Netrecon,» a network intelligence tool.

The researchers say:
«Extracting this sensitive data allows the attacker access to an inside domain user for the internal mail services of an enterprise along with access to the domain certificate of an enterprise. With systeminfo, the attacker can identify which user is a domain administrator. This creates a very dangerous combination of sensitive data leakage and potentially large scale cyber spying or infostealing. It also shows that the intended target of this malware is first and foremost enterprises.»

Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *

Этот сайт использует Akismet для борьбы со спамом. Узнайте, как обрабатываются ваши данные комментариев.