Valak malware steals corporate data using Microsoft Exchange servers

Valak using Microsoft Exchange

Cyberreason Nocturnus experts said that the Valak bootloader discovered in 2019 now exploits vulnerabilities in Microsoft Exchange servers. It has become a full-fledged info-staler and attacks companies in the USA and Germany.

Researchers write that in the last six months, the malware has received more than 20 updates and now poses a complete and independent threat.

Valak spreads through phishing attacks and Microsoft Word documents containing malicious macros.

“If the malware penetrated the system, a .DLL file with the name U.tmp is downloaded to the infected machine and saved in a temporary folder. Then the WinExec API call is made and the JavaScript code is loaded, establishing a connection with the management servers. After that, additional files are downloaded to the infected host, which are decoded using Base64 and XOR, and the main payload is deployed”, — say Cyberreason Nocturnus.

To securely gain a foothold in a compromised system, the malware makes changes to the registry and creates a scheduled task. After that, Valak proceeds to download and run additional modules that are responsible for detecting and stealing data.

The two main payloads (project.aspx and a.aspx) perform different functions. The first manages registry keys, task scheduling and malicious activity, and the second (internal name PluginHost.exe) is an executable file for managing additional malware components.

The ManagedPlugin module has a variety of functions: collects system information (local and domain data); has an Exchgrabber function, the purpose of which is to penetrate Microsoft Exchange by stealing credentials and domain certificates; has a geolocation verifier and screenshot capture function; contains a Netrecon network intelligence tool.

“The theft of confidential data gives attackers access to the user of the internal domain, that is, access to the organization’s internal mail services, as well as access to the organization’s domain certificate. With systeminfo, attackers can determine which user is the domain administrator. This creates a dangerous combination of confidential data leakage and large-scale potential compromise for cyber espionage or data theft. This demonstrates that the initial goals of this malware are primarily enterprises”, — conclude the experts.

Let me remind you that despite Microsoft eliminated an error in the Exchange Control Panel in Microsoft Exchange, according to researchers at Rapid7, administrators did not update the software and many servers remained vulnerable.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *