Valak has a New Form: Why Businesses Should Fear Evolving Malware

William Grove June 2, 2020

When we talk about how cybercriminals are industrializing and innovating at pace with cybersecurity professionals, it’s important to not talk in abstract form all of the time – criminals are continually evolving their toolsets so that they stand a better chance of gaining large payloads from enterprise targets. The transformation of Valak malware from a loader to a data stealer is a good example of this.

  • What is Valak and How Does it Work?

Valak has only been around since late-2019. Initially, it was used as a loader to deliver other malware like Usnirf (otherwise known as Gozi) and IcedID. Since then, it’s targeted around 150 financial, retail, manufacturing and healthcare firms. Its evolution has been rapid, with new integrations being offered to buyers in each of its 30 updates.

Its latest form can be used to access Microsoft Exchange servers. It works, first, by being distributed via phishing campaigns. When an affected email is opened, the malware’s code installs a DLL file that is later launched upon execution with a WinExec API call. After making more calls to C2 servers, it can download a couple of malicious files. The first is designed to ensure that the malware has longevity within the affected system, and the second has capabilities that include data collection.

  • Criminals are Ramping up Attacks on Businesses

In a short period of time, Valak has morphed from a dependent loader into malware that can be run independently. These changes wouldn’t have just been made for the sake of it: the developers will have seen an opportunity to increase profits. And stealing data from enterprises (a move that itself has a sting in the tail when the exploited organization has to pay out for regulatory non-compliance) will be more profitable than using the loader to sell bots to buyers with fully-featured botnets.

Valak’s capabilities have also been improved to give the malware a better chance of successfully infiltrating corporate security environments. Malware developers are growing increasingly confident in their ability to profit from enterprise-level attacks. They know that organizations are overwhelmed with mountains of vulnerabilities. They know that they aren’t set-up with the visibility that they need of all vulnerabilities and assets within their fragmented estates. They know that they are likely to be able to take advantage of an exposed vulnerability. And, in Valak’s case, by jumping straight to data theft they are also able to stop being a ‘middle-man’ and, therefore, are able to harvest profits much quicker.

  • Don’t Get Outpaced by Criminal Innovation

Criminal intelligence cannot be underestimated. They know how to create malware at scale and, like any other business, are focused on increasing profitability. This is just one of the reasons why managing cybersecurity is so complex – the threat never dissipates, it only ever gets stronger. This is why, at a base level, businesses need to have visibility over their entire hybrid estate. They need to be able to see and understand which of their vulnerabilities are most exposed to a potential attack to build robust remediation strategies that enable them to act quickly to protect their most critical assets.

Innovation is the lifeforce that advances criminal activity: it’s the responsibility of organizations to innovate with focus so that they can build a security ecosystem that will enable them to weather the storm of any current and emerging threats.

    William Grove is Skybox's Senior Content Marketing Manager. William has over 8 years of experience, primarily focused on enterprise-level B2B tech communication.

    Read More

    How will COVID-19 Impact Digital Transformation?
    Read More
    The Evolution of Ransomware: What to Expect in 2020 and Beyond
    Read More
    How Network Visibility and Context Simplifies Cybersecurity Management
    Read More