First observed in late 2019, Valak was once classified by cybersecurity researchers as a malware loader. Valak, deemed “sophisticated” by the Cybereason Nocturnus team, has undergone a host of changes over the past six months, with over 20 version revisions changing the malware from a loader to an independent threat in its own right.

After landing on a machine through a phishing attack using Microsoft Word documents containing malicious macros, a .DLL file called “U.tmp” is downloaded and saved to a temporary folder.

A WinExec API call is then made and JavaScript code is downloaded, leading to the creation of connections to command-and-control (C2) servers. Additional files are then downloaded, decoded using Base64 and an XOR cipher, and the main payload is then deployed.

Registry keys and values are set and a scheduled task is created to maintain persistence on an infected machine. Next, Valek downloads and executes additional modules for reconnaissance and data theft.

Two main payloads, project.aspx and a.aspx, perform different functions. The former manages registry keys, task scheduling for malicious activities, and persistence, whereas the latter — internally named PluginHost.exe — is an executable that manages additional components.

Valak’s “ManagedPlugin” module is of particular interest. Functions include a system information grabber that harvests local and domain data; the “Exchgrabber” function which aims to infiltrate Microsoft Exchange by stealing credentials and domain certificates, a geolocation verifier, screenshot capture, and “Netrecon,” a network reconnaissance tool.

In addition, the malware will scour infected machines for existing antivirus products.

The most recent Valak variants have been tracked in attacks against Microsoft Exchange servers in what is believed to be enterprise-focused attacks.

“Extracting this sensitive data allows the attacker access to an inside domain user for the internal mail services of an enterprise along with access to the domain certificate of an enterprise” the researchers say. “With systeminfo, the attacker can identify which user is a domain administrator. This creates a very dangerous combination of sensitive data leakage and potentially large scale cyber spying or infostealing. It also shows that the intended target of this malware is first and foremost enterprises.”