Redesigned for stealth and adaptability, data-stealing Valak malware targets Microsoft Exchange Server in enterprises

Valak malware, once classified as a loader for other malware, has been reconfigured to steal sensitive information and login credentials.

That's according to researchers from cyber security firm Cybereason, who say they have observed Valak malware targeting Microsoft Exchange servers to steal credentials and certificates from US and German enterprises.

Valak was first observed in late 2019, and at that time, it was classified as a malware loader by security researchers. At that stage its purpose was to deliver other malware, such as the banking Trojans IcedID and Ursnif.

While the original functionality of Valak still exists, the malware has undergone massive transformation in recent months, with more than 20 versions of the malicious programme now available for hackers to deploy. The redesigned malware is designed for stealth, for example removing the earlier dependency on PowerShell in favour of storing elements in the registry which is harder to detect.

The programme has been transformed into a multistage modular framework with additional functionality offered through multiple plug-ins.

It can check the geographical location of a compromised system, take screenshots, and download other payloads.

A recent version of Valak has been designed to infiltrate Microsoft Exchange servers. The researchers warn that level of access could result in more disruptive attacks involving ransomware.

Hackers start their campaign by first sending an email with a Microsoft Word document to a potential target. The document that contains a malicious macro code (a .DLL file) is usually created in the local language of the target.

To achieve persistence, the malware schedules a task to run Windows Script Host and execute JavaScript stored as an Alternate Data Stream.

The second stage involves downloading more modules and exploring the environment to find sensitive data on the infected machine which can then be exfiltrated using specialised plugins.

The researchers said they have observed Valak being used in active campaigns targeting businesses in the US and Germany.

Attacks on Exchange Server are made easier by the fact that many admins fail to update their instances with the latest patches.

In April, researchers from cyber security firm Rapid7 warned that more than 80 per cent of the Microsoft Exchange Servers exposed on the internet were vulnerable to the CVE-2020-0688 remote code execution bug that was patched by Microsoft in February 2020.

The researchers said they discovered more than 31,000 Exchange 2010 servers that had not received any update since 2012. They also found nearly 800 Exchange 2010 servers that had never been updated by IT admins and many which were unsupported by Microsoft.

Comments are closed.