Malwares of Malware | Valak shows up again

An updated variant of the Valak malware family earned a place on a security firm’s “most wanted malware” list for the first time.

First detected back in 2019, Valak garnered the attention of Cybereason in May 2020 for its ability to function beyond a malware loader and independently operate as an information stealer.

That was just a month before SentinelOne observed Valak using “clientgrabber,” a plugin which enabled the malware to steal email credentials from the registry.

At the beginning of July 2020,Valak using stolen email threads and password-protected .ZIP archives to target organizations in the financial, manufacturing, health care and insurance sectors.

September 2020 marked the third successive month of Emotet’s run at the top of Check Point’s Global Threat Index. Meanwhile, the Qbot trojan rose from 10th place to 6th place that same month.

These new campaigns spreading Valak are another example of how threat actors look to maximize their investments in established, proven forms of malware. Together with the updated versions of Qbot which emerged in August,

Valak is intended to enable data and credentials theft at scale from organizations and individuals. Businesses should look at deploying anti-malware solutions that can prevent such content reaching end-users, and advise their employees to be cautious when opening emails, even when they appear to be from a trusted source.

Gamers abused with credential stuffing

Credential stuffing is a cyber-attack where fraudsters use large numbers of stolen credentials to log into individuals’ or companies’ accounts. This cyber-attack type is on the rise due to the high number of data breaches in the past years.

A successful credential abuse attack steals the victim’s account and puts the owner’s credit card information as well as in-game assets at risk. Worth noting – veteran players might have thousands of dollars worth of items in their game inventory.

While credential abuse attacks are rarely discussed, data reveals that it is a wide-spread issue. Hackers attacked gamers a staggering 9.83 billion times from July 2018 to June 2020.

Data shows that the top 5 countries are responsible for 49.32% of all fraudulent login attempts to user accounts. The US, Russia, Canada, China, and Germany are responsible for 4.85 billion attacks out of the 9.83 billion intrusion attempts globally.

It appears that most credential abuse originates from the United States. However, it is worth noting that hackers often change their IP addresses when carrying out these attacks. Meaning, the locations provided should be looked at with a grain of salt.

Gamers lose ?

The study asked players what they are most worried about if their account gets hacked. The most common answer was credit card information, with 49.1% of respondents stating it as their biggest concern

The concern of losing in-game assets is valid as a single special weapon can cost hundreds of dollars and, in rare cases, up to thousands of dollars.

Password hygiene

You can avoid the devastating financial losses, account takeovers, and emotional distress by following these simple rules:

  • Do not reuse passwords.
  • Make use of password managers. 
  • Deploy two-factor authentication (2FA).
  • Check if your email was compromised on haveibeenpwned website. 

Team TNT stolen AWS Credentials


The frequent targeting of cloud and container environments are indicative of a vast attack surface for cybercriminals. Recently, Cado Security researchers have found a first-ever crypto-mining worm dubbed ‘TeamTNT’ containing Amazon Web Services (AWS) specific functionality.


Active since April 2020, TeamTNT has updated its mode of operation in mid-August.

TeamTNT has added a new data-stealing feature that enables the attackers to scan and steal AWS credentials. It is the first botnet malware that is known to scan and steal AWS credentials.

The worm also steals local credentials and scans the internet for misconfigured Docker systems.

Attackers have compromised many Docker and Kubernetes systems along with Kubernetes clusters and Jenkins build servers.

Post exploitation

Besides acting as a botnet and a worm, TeamTNT uses the XMRig miner to mine Monero cryptocurrency.

The worm also deploys several openly available malware and offensive security tools including punk.py, Diamorphine Rootkit, Tsunami IRC backdoor, and a log cleaning tool.

Two different Monero wallets associated with these latest attacks have earned TeamTNT about 3 XMR (approx $300).

The similitude

TeamTNT’s malware suite is an amalgamation of another worm named Kinsing as malware authors copy and paste their competitors’ code. The Kinsing worm was designed to bypass Alibaba Cloud security tools. In early April 2020, a bitcoin-mining campaign used the Kinsing malware to scan for misconfigured Docker APIs, then spin up Docker images and install itself.

Bottom line

Research team has flagged the latest set of campaigns as a unique development. It is likely that other worms will start to copy the ability to steal AWS credentials. To thwart such attacks, organizations should consider reviewing their security configurations to protect AWS deployments from getting hijacked.

Moreover, monitoring network traffic and using firewall rules to limit any access to Docker APIs is also recommended .