Valak was originally discovered in late 2019. Although it was classified as a loader at the time, it has since evolved into a standalone stealer. Over the last several months, researchers at Cybereason have observed over 30 different versions of the malware. Recent versions of Valak have begun to target Microsoft Exchange servers in the United States and Germany to steal credentials and certificates. This new feature, along with a reconnaissance tool, are part of Valak’s new modular plugin system. Phishing campaigns for Valak attach a malicious Word document containing macros responsible for downloading a DLL to be executed via regsvr32. The DLL then drops and executes a randomly named JavaScript file that will communicate with the C2, write configuration to the registry and create persistence with a scheduled task.
Analyst Notes
Valak is designed to be a stealthy malware by taking advantage of the Windows registry, abusing features like Alternate Data Streams (ADS) and choosing JavaScript over PowerShell. With proper endpoint monitoring, these events can be caught. Managed security services such as the Binary Defense Security Operations Center (SOC) provide 24/7 monitoring to quickly detect, contain and alert security teams to threats like these before they have the chance to spread too far.
Source: https://www.cybereason.com/blog/valak-more-than-meets-the-eye
