Cyberreason Nocturnus experts said that the Valak bootloader discovered in 2019 now exploits vulnerabilities in Microsoft Exchange servers. It has become a full-fledged info-staler and attacks companies in the USA and Germany.
Researchers write that in the last six months, the malware has received more than 20 updates and now poses a complete and independent threat.
Valak spreads through phishing attacks and Microsoft Word documents containing malicious macros.
To securely gain a foothold in a compromised system, the malware makes changes to the registry and creates a scheduled task. After that, Valak proceeds to download and run additional modules that are responsible for detecting and stealing data.
The two main payloads (project.aspx and a.aspx) perform different functions. The first manages registry keys, task scheduling and malicious activity, and the second (internal name PluginHost.exe) is an executable file for managing additional malware components.
The ManagedPlugin module has a variety of functions: collects system information (local and domain data); has an Exchgrabber function, the purpose of which is to penetrate Microsoft Exchange by stealing credentials and domain certificates; has a geolocation verifier and screenshot capture function; contains a Netrecon network intelligence tool.
“The theft of confidential data gives attackers access to the user of the internal domain, that is, access to the organization’s internal mail services, as well as access to the organization’s domain certificate. With systeminfo, attackers can determine which user is the domain administrator. This creates a dangerous combination of confidential data leakage and large-scale potential compromise for cyber espionage or data theft. This demonstrates that the initial goals of this malware are primarily enterprises”, — conclude the experts.
Let me remind you that despite Microsoft eliminated an error in the Exchange Control Panel in Microsoft Exchange, according to researchers at Rapid7, administrators did not update the software and many servers remained vulnerable.