Valak malware refurbished to target Microsoft Exchange servers and steal sensitive enterprise information – Digitalmunition




Featured Valak-370x229.jpg

Published on June 1st, 2020 📆 | 4035 Views ⚑

0

Valak malware refurbished to target Microsoft Exchange servers and steal sensitive enterprise information

Valak malware refurbished to target Microsoft Exchange servers and steal sensitive enterprise information

Valak malware refurbished to target Microsoft Exchange servers and steal sensitive enterprise information

Valak malware, once classified as a loader for other malware, has been refurbished to steal sensitive information and login credentials from enterprises.

That’s according to researchers from cyber security firm Cybereason, who say they have observed Valak malware targeting Microsoft Exchange servers to steal credentials and certificates from US and German enterprises.

Valak was first observed in late 2019, and at that time, it was classified as a malware loader by security researchers. The purpose of the Valak, as per researchers, was to deliver other malware, such as banking Trojans IcedID and Ursnif.

While the original functionality of Valak still exists, the malware has undergone massive transformation in recent months, with more than 20 versions of the malicious programme now available for hackers.

The programme has been turned into a multistage modular framework which can be offered additional functionality through multiple plug-ins.

It can check the geographical location of a compromised system, take screenshots, and download other payloads.

The recent version of Valak is designed to infiltrate Microsoft Exchange servers. The researchers warn that level of access could result in more disruptive attacks involving ransomware.

Hackers start their campaign by first sending an email with a Microsoft Word document to a potential target. The document that contains a malicious macro code (a .DLL file) is usually created in the local language of the target.

To achieve persistence, the malware schedules a task to run Windows Script Host and execute JavaScript stored as an Alternate Data Stream.

The second stage involves downloading more modules and exploring the environment to eventually steal sensitive data from the infected machine.

The researchers said they have observed Valak being used in active campaigns attempting to target businesses in the US and Germany.

Moreover, the threat group behind Valak is not the only one that is currently trying to target Microsoft Exchange servers.

In April, researchers from cyber security firm Rapid7 warned that more than 80 per cent of the Microsoft Exchange Servers exposed on the internet were vulnerable to the CVE-2020-0688 remote code execution bug that was patched by Microsoft in February 2020.

The researchers said they discovered more than 31,000 Exchange 2010 servers that had not received any update since 2012. They also found nearly 800 Exchange 2010 servers that had never been updated by IT admins and many which were unsupported by Microsoft.

Source link

Tagged with:



Leave a Reply