A new and deadlier version of a familiar malware —it was discovered in 2019 and designated a sophisticated piece of malware, Valak was considered a type of malware loader, a type of program used to load other malware on compromised systems.
While that was dangerous enough, recent research has discovered that newer versions of Valak are being used to conduct reconnaissance and steal credentials & other sensitive information – making it an enterprise’s worst nightmare.
An independent threat in its own right, Valak has been discovered in active campaigns focused on enterprises in the United States and Germany. It targets Microsoft Exchange servers to steal passwords and enterprise certificates. This is a big threat as it could lead to enterprises losing access to critical accounts leading to major organizational damage.
The new and advanced Valak
The campaign usually spreads through Microsoft Word documents that are embedded with malicious macros. These macros download a .dll file which when launched performs a range of malicious activity. It executes malicious payload on the affected systems and networks through JavaScript while gathering information and conducting more reconnaissance. This reconnaissance includes information like the amount of time the machine is running, the version of Windows currently operational, etc. All this information is then exfiltrated to a remote domain. By the extraction of sensitive data, the attacker is also able to access the domain user’s internal email services and identify domain administrators.
What makes Valak so dangerous for an enterprise?
Ruthless evolution
While the original Valak malware was discovered in 2019, the most recent version has evolved over 30 different updates. It was originally a malware loader and has now become an independent threat in its own right. This ruthless evolution indicates that the perpetrators of this campaign are continuously updating the malware to ensure it becomes more dangerous.
Focus on Microsoft Exchange servers
Valak’s relentless focus on Microsoft Exchange servers is troubling for enterprises. Microsoft Exchange servers are used by enterprises globally and consist of confidential information and important data which could cause substantial damage if leaked.
Stealth capabilities
Valak manages to evade detection by using an Alternative Data Stream (ADS) and hiding various components within the registry. It also does not use PowerShell which ensures that security solutions are unable to detect it.
Enterprises in the US and Germany have been targeted through the Valak malware campaign but it has the potential to spread further. While there is no proof on the perpetrators behind this campaign, security experts have suggested that it may have emanated from the Russian underground.
The two key steps that enterprises can take to shore up their protections against Valak are:
Emphasize the importance of social engineering attempts
As a malware that uses various techniques to evade detection, enterprises should not rely solely on their cybersecurity solutions to prevent these types of attacks. As documented earlier in the article, the malware spreads through Microsoft Word documents embedded with malicious macros. Users are mostly tricked into downloading and running the malicious payload. Hence, enterprises must keep emphasizing the importance of social engineering to employees and build awareness internally on the need to exercise vigilance.
Complete endpoint protection
If not already done, enterprises should install an endpoint security solution to help in detection and response. Seqrite Endpoint Security (EPS) integrates a range of powerful technologies (Anti Ransomware, Data Loss Prevention, Vulnerability Scan and many others) into a simple, comprehensive, powerful and user-friendly interface, designed for the enforcement of complete security of all endpoints within an enterprise.
No Comments