LTS Secure Warning: Revamped Valak Malware, Becomes more Sophisticated & Stealthier

Valak Malware, a loader used to load other malware on compromised machine, has seen a surge of development, transforming the malware to perform reconnaissance, steal credentials & other sensitive information. This development has turned valak, into a multi-stage modular malware, capable of upgraded with additional functionality, if required with the help of plug-ins.


Technical Details

The malware is being distributed via phishing email, with malicious attached word file with hidden macro code. Once the file has been opened by the victim, the macros install a dynamic-link library (DLL) file. The DLL then makes use of the WinExec API in order to download a java script, responsible for making connection to the C&C server.

Two encoded files are downloaded from the C&C servers:-

  • project.aspx:- Maintains persistence in the system by installing additional payloads & plugins.
  • a.aspx:- Used to manage additional components.



  • Collects user, system & network information.
  • Take screenshots of desktop.
  • Steal sensitive/confidential information like email login credentials, domain passwords & certificates.
  • Upload & executing payloads on the infected machines


Recommended Actions

  • Never download any suspicious attachments or click on any shady-looking link. Take an effort to educate your users on how to identify a mail-spam.
  • Always update your anti-virus software with the latest releases.
  • Periodically run “full system scan” on your endpoints.
  • Make proper security configuration for Firewall/IDS/IPS/Endpoint Protection systems so that no holes are left barred.
  • Isolate all of the compromised computers ASAP to prevent threats from spreading further inside your infrastructure.