Operators Behind Valak Malware Expand Malicious CampaignFinancial, Manufacturing, Healthcare and Insurance Firms Victimized
The operators behind a malware strain called Valak have expanded their malicious campaigns over the past several months to other parts of the world, targeting financial, manufacturing, healthcare and insurance firms, according to research from Cisco Talos.
While Valak was first spotted primarily in the U.S. and Germany in 2019, Cisco Talos researchers have now found the malware spreading across North and South America and other parts of Europe, according to the report. The attackers have also focused most of their attention on larger enterprises, such as financial services firms, for monetary gain.
In addition, the Cisco Talos report notes the operators of Valak are now using existing email threads, as well as password-protected and compressed ZIP files, to help spread the malware and target more victims. Spam emails, however, remain the primary delivery mechanism for the malware, according to the report.
While Cisco Talos did not provide specific numbers, the researchers note that Valak appears to have successful bypassed security protections.
"The campaigns associated with Valak appear to be relatively successful, likely because of perimeter security controls being unable to scan the initial attachments being sent to potential victims," Cisco Talos researchers Nick Biasini, Edmund Brumaghin and Mariano Graziano note in the report. The use of stolen email threads also makes it unlikely security tools could detect malicious emails that contain the malware, they add.
Hijacking Existing Email Threads
When it was first spotted by researchers in late 2019, Valak was designed as a malware loader that could deliver banking Trojans such as Ursnif and IcedID. In May, however, security analysts at Cybereason found that the creators of Valak had revamped the malware as an information stealer capable of exfiltrating data from corporate user accounts (see: Revamped Valak Malware Targets Exchange Servers).
Over the past several months, the Valak operators have increasingly distributed their malware through malspam campaigns that use stolen email threads and password protected ZIP files that help them bypass many detection technologies, according to the Cisco Talos report.
While these campaigns have been underway since early this year, Cisco Talos finds that 95% of overall Valak activity has taken place in May and early June.
"As we continue to get better at detecting and blocking spam messages, adversaries will continue to move to novel approaches, like email thread hijacking," the researchers note.
In the campaigns observed by Cisco Talos analysts, the attackers sent the phishing emails by replying on an existing thread, such as an automated email sent by LinkedIn after two users connect, raffle prize email threads or even friendly emails between associates at the same organization.
In some cases, the threads targeted by the attackers were several years old, the researchers observed. In instances where the email thread contained many recipients, the attackers sent individual messages instead of replying all at the same time, the report adds.
The responses were personalized. For example, while targeting a real estate company, the emails contained information about properties, financing and showings, according to Cisco Talos. In another case, the attackers hijacked an email generated by a state court system, abusing a lawyer's email account to increase the possibility of the victims opening the attachment, according to the report.
"This highlights why these campaigns can have a high success rate: They are sent from existing email threads between colleagues or acquaintances," researchers note.
The report also notes that while the password-protected attachments make it easier to bypass security, this technique sometimes decreases effectiveness as many users have trouble opening password-protected attachments.
Apart from targeting enterprises, the attackers also sent phishing mails to personal email accounts, although the percentage of individual targets is much lower, according to the report. This could mean that there are two separate, but ongoing campaigns, the report notes.
These spam emails contain malicious Microsoft Word attachments. The documents urge users to enable macros in localized languages, which in turn function as a downloader to retrieve and execute the dynamic-link library associated with Valak, according to the report.
The Cisco Talos researchers also observed the use of passive DNS data to track the servers used to deliver the Valak DLL to victims.
Valak has undergone multiple changes in the way it is retrieved and the level of obfuscation in the configuration file has increased, the report states.
The report does not identify the specific threat actors behind the campaign, but mentions that most of the infrastructure used to deliver the initial DLL was hosted on servers located in Russia and Ukraine. Some of the systems used for command and control were hosted in multiple locations around the world, including in the U.S., according to the report.