The stealthier and most sophisticated modular variant of Valak malware appears to be an emerging threat due to an increased volume of campaign activity to steal sensitive information and deploy additional malware.

  • Valak is sophisticated modular information-stealer malware that was first observed in late 2019.

  • After its discovery Valak is evolving rapidly with more than 30 versions. Each version extended the malware’s capabilities and add evasive techniques to improve its stealth.

  • In initial version, Valak is used as loader for other malware and used in multiple campaign paired with Ursnif (Gozi) and IcedID, but new versions can be used independently as information stealer. Valak attack focus is on administrators in enterprise networks and specifically targets Microsoft Exchange servers.

  • Valak has rich modular features like storing malicious component to registry, collecting user machine and network information, checking geo location, taking screenshot, target administration accounts and collecting credentials and domain certificate from Microsoft mail system.

  • Valak relies on scheduled tasks for persistence and uses windows Alternate Data Stream (ADS) to hide and run follow-up malware on infected sources.

  • Due to modular nature of Valak, it collects modules/plugins from command-andcontrol server to expand its capability. Valak has component called ‘PluginHost', which provides communication with c2 server.

  • Some Example of Valak Plugins/Modules:

    • clientgrabber: Build for stealing email credentials from the registry of a compromised machine. It also checks for passwords in registry locations related to Microsoft’s Outlook client.

    • exchgrabber: Build for enumerating credentials from the Credential Manager, searching Office related credentials.

    • Systeminfo: Build for identify and target local and domain administrators.

First Name
Last Name
Work Number