Threat Actors Behind the Valak Malware Expanding Campaign

The attackers behind the Valak malware strain appear to be expanding their malicious campaign over the past few months into different countries, including manufacturing, financial, insurance, and healthcare companies, according to Cisco Talos.

Though Valak was spotted for the first time in Germany and the US in 2019, Cisco Talos researchers found the malware spreading in North and South America and Europe, according to a recent report. The attackers appear to be focusing on their efforts on larger companies, such as the financial sector, to improve their illicit profits.

The Cisco Talos report showed that the operators behind Valak are using already existing email threats and compressed ZIP files with password protection to spread the malware to more victims around the world. The spam emails are the primary infection delivery method for the malware, according to the report. Even though Cisco Talos didn't provide exact numbers, their researchers noted that Valak seems to be bypassing security protections.

The campaigns connected to Valak seem to have a modicum of success, most likely because of perimeter security controls failing to scan the attachments sent to potential victims, according to Cisco Talos researchers Nick Biasini, Edmund Brumaghin, and Mariano Graziano. The use of the stolen emails shows that it was unlikely security tools could have detected the malicious emails containing the malware.

Threat Actors Are Hijacking Existing Email Threads

When the problem was first spotted around the end of 2019, Valak was made to act as a malware loader capable of delivering banking Trojans such as IcedID and Ursnif. In May 2020, security analysts working at Cybereason discovered the makers of Valak remade it into an information stealer capable of exfiltrating data from corporate user accounts.

Over the last several months, the Valak operators increased the scope of their operations by malspam campaigns that use stolen email threads, and password-protected ZIP files, allowing them to circumvent many detection technologies, Cisco Talos shared. Although the attacks were active earlier in 2020, Cisco Talos found that 95% of the known Valak activity was taking place from May to June.

In the campaigns seen by Cisco Talos analysts, the attackers were sending the phishing emails by replying to existing threads, such as using automated emails sent by companies after two users connect. Emails between friends or associates in the same organization, raffle prize email threads, and so forth were also part of the campaign.

In some of these cases, the threads being targeted were years old, some instances had the email threads containing many recipients, but the attackers were sending individual messages instead of replying to everyone. The responses were personalized for the targets the attackers were going after. Examples of that could be seen with the targeting of real estate companies, with emails containing relevant information, showings, financing, and more. Another case saw the use of a lawyer's email account to increase the chance of fooling victims into opening the email attachments.

The report also noted that although password-protected attachments make it easier to bypass security, the technique decreases the effectiveness of these attacks, as the users may have issues opening such files. Apart from targeting companies, the attackers were sending phishing emails to personal email accounts, though the amount of such targets pales in comparison, according to Cisco Talos. That may indicate that there are two separate campaigns, the researchers noted.

The Valak malware delivery

The spam emails contain malicious MS Word attachments. The documents try to push users into enabling macros in localized languages. The downloader uses that to retrieve and execute the dynamic link library associated with the Valak malware. The Cisco Talos researchers observed the use of passive DNS data in tracking the servers used to deliver the Valak DLL. The malware has changed in how it was retrieved, as well as the obfuscation of its configuration file. The report doesn't mention the specific threat actors behind the campaign, but it does take note that most of the infrastructure behind it is located on servers in Ukraine and Russia. Some of the systems used for the command and control functions were found in multiple locations worldwide, including the US.