Valak Malware Retasked to Steal Data from US, German Firms

Once considered a loader for other malware, Valak regularly conducts reconnaissance and steals information and credentials, new analysis shows.

Over the past six months, a surge of development activity on a malicious program known as Valak — traditionally used for loading other malware on compromised systems — has transformed the software into a tool for reconnaissance and the stealing of credentials and other sensitive information, according to new analysis by Cybereason.
The developers behind the malware have released more than 20 different versions in the past six months, turning the program into a multistage modular framework that can be upgraded with additional functionality through plug-ins. First discovered in late 2019, Valak focuses on administrators on enterprise networks and specifically targets Microsoft Exchange servers, says Assaf Dahan, head of threat research at Cybereason, a threat-protection firm.
Valaks move to modules that are specifically targeted at enterprises and organizations shows us that the developers are moving away from targeting individuals and are more focused on compromising businesses, he says. They are doing this on very rapid development cycles — every few days, they are uploading a new version.
While the software is not in widespread use at this point, its trajectory suggests it will become a standard tool for cybercriminals, Dahan says. The operators of Valak originally used the code to download other malware, such as Ursnif or IcedID, but Cybereason has found the relationship between the programs — and their groups — to be more complex, as those programs have also downloaded and installed Valak on other systems.
The connection between the three programs suggests that Valaks operators may be part of the Russian cybercriminal underground, according to
Cybereasons analysis
.
While the nature of the partnership between each of these specific malware is not fully understood, we suspect it is based on personal ties and mutual trust from underground communities, the report states. Given the fact that both Ursnif and IcedID are considered to be part of the Russian-speaking E-Crime ecosystem, it is possible that the authors of Valak are also part of that Russian-speaking underground community.
The operators behind Valak began by targeting organizations in Germany but have added targets in the US as well. The malware will continue to evolve as the criminals behind them expand their operations, said James McQuiggan, an evangelist for security-awareness firm KnowBe4, in a statement.
Just like organizations providing a service or product, they are continually updating it to improve the technology or capabilities, he said. Criminal groups are no different, as seen with Valak. In the past nine months, this malicious software has increased its functions to steal sensitive information and deploy additional malware.
The malware has extensive features for collecting credentials and seems to have a code-specific focus on Microsoft Exchange mail servers. By grabbing sensitive data, the attackers can gain access to the domain user privileges for internal mail services and the companys domain certificate, Cybereason warns in its report.
This creates a very dangerous combination of sensitive data leakage and potentially large scale cyber spying or infostealing, the company states. It also shows that the intended target of this malware is first and foremost enterprises.
Overall, the malware appears to be the result of significant development effort, and through its modular design can be updated with more features to evade detection and more capabilities for stealing data. Companies should make sure they have the processes and technologies in place to detect the attack, Cybereasons Dahan says.
Valak is using very stealthy techniques that are not trivial, and antivirus will have trouble catching it, he says. We are pretty good at predicting which malware is going to turn into a major threat, and we have reason to believe that Valak will become more prominent.
The malware often appears as a Microsoft Office document containing a malicious macro — a popular way for attackers to compromise systems, said security services firm EmberSec in a statement.
Companies should continue to enforce security best practices, such as email filtering, email attachment analysis, and mandatory employee cybersecurity awareness education, the company said.
Related Content:
Attack Surface, Vulnerabilities Increase as Orgs Respond to COVID-19 Crisis
Telcos Become Richer Hacking Targets
US Indicts 7 Russian Intel Officers for Hacking Anti-Doping Organizations
Upping the Ante on Anti-Analysis
How Cybersecurity Incident Response Programs Work (and Why Some Dont)

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that really bad day in cybersecurity. Click for
more information and to register
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Valak Malware Retasked to Steal Data from US, German Firms