LTS Secure Warning: Revamped Valak Malware, Becomes more Sophisticated & Stealthier
Valak Malware, a loader used to load other malware on compromised machine, has seen a surge of development, transforming the malware to perform reconnaissance, steal credentials & other sensitive information. This development has turned valak, into a multi-stage modular malware, capable of upgraded with additional functionality, if required with the help of plug-ins.
The malware is being distributed via phishing email, with malicious attached word file with hidden macro code. Once the file has been opened by the victim, the macros install a dynamic-link library (DLL) file. The DLL then makes use of the WinExec API in order to download a java script, responsible for making connection to the C&C server.
Two encoded files are downloaded from the C&C servers:-
- project.aspx:- Maintains persistence in the system by installing additional payloads & plugins.
- a.aspx:- Used to manage additional components.
- Collects user, system & network information.
- Take screenshots of desktop.
- Steal sensitive/confidential information like email login credentials, domain passwords & certificates.
- Upload & executing payloads on the infected machines
- Never download any suspicious attachments or click on any shady-looking link. Take an effort to educate your users on how to identify a mail-spam.
- Always update your anti-virus software with the latest releases.
- Periodically run “full system scan” on your endpoints.
- Make proper security configuration for Firewall/IDS/IPS/Endpoint Protection systems so that no holes are left barred.
- Isolate all of the compromised computers ASAP to prevent threats from spreading further inside your infrastructure.