Valak malware, a previously classified malware loader by cybersecurity experts has now transformed into a “potent” cyber threat in the last 6 months having gone through numerous upgrades with more than 24 versions seen in its transformational journey from a malware loader to a major threat malware according to team Nocturnus Cybereason.
The Team Nocturnus stated that the now classified malware threat which first emerged in the last quarter of 2019 as a malware loader as recorded in recent campaigns against individuals and enterprises majorly in Germany and the USA with new features which makes it a data stealer, having been formerly merged with IcedID and Ursnif banking Trojan payloads (v1,2).
Assaf Dahan, head of threat research at Cybereason firm said the developers of Valak must have collaborated with other hackers to adopt the malware-as-a-service (MaaS) version. The recent versions of Valak were designed to steal passwords, email information, and enterprise certificates from Microsoft Exchange servers which if successful will gain access to vital enterprise accounts resulting to brand degradation, and data loss.
The Latest Valak Malware – Valak 2.0
The latest Valak malware version boast of a fileless stage, which stores elements in the registry, scan the infected system’s geolocation, having at least six plugin elements that grant cybercriminals access to steal system, users and network’s information from infected hosts, and with the ability to download other malicious malware and more plugins.
Lior Rocheberger and Eli Salem, writers of the analysis of the new variants from the Cybereason said the most “intriguing addition” to Valak was a “PluginHost” element that transmits “data to C2 server for downloading additional plugins.” They also warned against upticking in fileless malware attacks because Valak’s developers have adopted evasive techniques like ADS which is an advanced way of hiding elements in the registry and discontinued the use of PowerShell which can now be easily detected and blocked by most security products.
Currently, Valak has upgraded up to version 25 with the malware codes indicating there may be links to the underground community of Russian speakers even though researchers are yet to understand the relationship between Valak, IcedID, and Ursnif but suspects they may be in collaboration.