Enterprises in the United States and Germany are being targeted in a phishing campaign spreading Valek malware, according to researchers at Cybereason Nocturnus.
Valek is a popular malware loader that was first identified in 2019. Valek has previously been distributed in phishing campaigns to deliver banking Trojans such as Ursnif and IcedID. Valek is active development and new versions are frequently released. According to a recent Cybereason Nocturnus report, the malware has been updated more than 30 times in the past 6 months.
Previous campaigns involving Valek have seen the malware installed as a secondary payload by other malware variants; however, the latest version of the malware is being delivered on its own as the primary malware payload in phishing emails.
While Valek is still capable of acting as a malware downloader, it is now able to act independently as a stealthy information stealer. The malware employs various tactics to evade security solutions, including using Alternate Data Streams (ADS) and loading some of its components in the registry. The attackers have also abandoned PowerShell, which makes it harder for network defenders to detect the attack.
The latest campaign identified by Cybereason Nocturnus targets enterprise Microsoft Exchange servers to steal mailing information, usernames and passwords, and enterprise certificates, allowing the attackers to gain access to enterprise mail accounts.
The phishing campaign used to distribute Valek starts with an email containing a malicious Microsoft Word attachment. The document contains a macro that will download JavaScript code if allowed to run. The JavaScript makes a connection to the C2 server and further files are downloaded, including two malware payloads called Project.aspx and a.aspx.
The role of Project.aspx is to act as a manager for registry keys, for malicious-task scheduling and maintaining persistence on the infected server. The second payload is renamed PluginHost.exe once downloaded. This is a new component that has been added to the latest version of Valek which allows communication with the command and control server and also allows additional plugins to be downloaded and added to the compromised host.
The plugins downloaded allow the attackers to perform a range of malicious activities on the compromised Exchange server, including reconnaissance to gather information about the device, user, network, the location of the infected device, and information about processes that are running. This component also allows email data to be stolen. Cybereason Nocturnus researchers have identified 6 plugins that are downloaded by PluginHost, although there could be more.
Cybereason Nocturnus researchers believe the extensive development of the malware and addition of new functions suggests the developers have been working with other threat actors to develop a better, stealthier, and much more dangerous malware.