Dissecting Valak (CYDERES Technical Blog Series)

Executive Summary

Valak was first discovered in 2019 as a malware loader and information stealer. Fishtech has seen an increase in thread hijacking being used by Valak threat actors to entice end users into clicking on phishing URLs or opening malicious documents. Valak leverages a plugin responsible for harvesting emails to further spread the malware. The following blog will examine how Valak is delivered and its capabilities.

Background

Valak was publicly recorded in October 2019 when two rules to detect Valak were created on Proofpoint’s ET Pro ruleset. The malspam network delivering Valak, or Shathak as Twitter labels it, has been seen targeting English and German-speaking businesses. Valak has evolved from acting as a loader to becoming a sophisticated, multistage piece of malware able to update itself and expand its capabilities.

Valak Delivery Method

The malspam delivering Valak uses existing email threads to increase the likelihood of the victim opening the attachment. To bypass email security, the attachments are password protected. This approach also hinders any automated sandbox analysis used to detonate suspicious attachments.

Figure 1: Email reply with password protected attachment

There are several features in this email that should arouse suspicion:

The zip file attached to the email contains a 5-character password
- Sending the password on the same email usually means the threat actor is using this as a way to bypass antivirus or email filtering
The email appears to be a reply to an email sent 9 months ago.
The word ‘attached’ is misspelled “attach_ed
A mismatch between the sender email and sender display name

Figure 2: Zip file containing a Microsoft Word Document

Attempting to open the file leads to a window prompt requesting a password.

Figure 3: Enter Password Window

Analyzing the document using ViperMonkey (a VBA Emulation engine) provides the following Summary of action carried out by the macro code:

Figure 4: Vipermonkey results for material06.20.doc

Examining the results show that the Macro ‘autoopen’ runs each time the victim opens the document. The API function ‘URLDownloadToFile’ is used to retrieve a file with a .cab extension. Once the file gap5.cab has been downloaded, it’s saved as 44312539.dat in the Directory c:\programdata. Regsvr32 is then used to run the 44312539.dat file.

As malware authors constantly change their tactics, it is always a good idea to verify analysis using multiple tools. To manually examine the Macros of the document, please see a previous blog here.

Similar URLs have been seen in URLhaus, urlscan.io and VirusTotal Intelligence. All the listed URLs are associated with Valak.

Figure 5: Download url listed in URLhaus

Opening the document in a virtual machine shows a message requesting the victim to enable macros. If macros were enabled for all documents, the file gap5.cab would have been downloaded automatically upon opening the document.

Figure 6: Microsoft Word Document requesting to enable Macros

After enabling macros, the Valak DLL is downloaded and saved to the C:\ProgramData directory.

Figure 7: Valak Dll saved to ProgramData directory

Regsvr32 is then used to run the Valak Dll. A window will confirm if the file was properly executed. Several versions of Windows failed to execute the file properly. The following screenshot was retrieved from a Windows 10 machine that executed the malware properly.

Figure 8: Pop up window where the Valak Dll was run

As shown below, the malware failed to run on a Windows 8 machine.

Figure 9: Pop up window showing file was not able to run

Once the Valak Dll is run, the file iVIwVADQD.eLxan is created in the “public” user directory and executed.

Figure10: Javascript configuration file

Figure 11: Process execution after enabling Macros

Additionally, placeholder, expired and legitimate domains can be seen in the contents of the configuration file along with the C2s, which are likely included to complicate manual static analysis. The legitimate domains are registered to Microsoft and Facebook:

vo.msecnd[.]net – Microsoft
msnbot-207-46-194-33.search.msn[.]com – Microsoft
atdmt[.]com – Facebook

Placeholder domains that were never registered might be used in the future. Expired domains might have been C2s in the past:

Knockoutlights[.]com – Domain Creation Date May 3, 2019
- Expired on Sunday, May 3, 2020
d0d0f3d189430[.]com – No current IP address and appears it has not been registered

This leaves the following C2s:

d0d0abee1d18255e[.]com
- Creation Date: 2020-06-18T12:32:43Z
- Current IP: 22.26[.]248
- Web Server Location: Portugal

Organicgreensfl[.]com
- Domain Creation Date: June 4, 2020
- IP Address: 106.18[.]130
- Web Server Location: Germany

a-zcorner[.]com
- Domain Creation Date: June 1, 2020
- IP Address: 119.156[.]128
- Web Server Location: Russia

The screenshot below shows the software signature, software version, and plain text variable names and values. As of this writing, Valak has evolved to using variable names and values with encoded strings.

Figure 12: Contents of configuration file (Part of the script)

Capabilities

The main purpose of the Dll loader is to write the initial scriptlet shown in figure 12 above and detonate the payload. This Dll loader is crypted and the crypter reconstructs the code placing it into memory. It will then perform multiple XOR loops and decompression which results in the unpacked Dll.

Valak script features:

Create persistence in the victim’s machine
Store Valak configuration in the registry
Retrieve the “PluginHost” plugin
Retrieve Client scripts

To create persistence, Valak creates entries under the registry key “HKEY_CURRENT_USER\\Software\\ApplicationContainer\\Appsw64\\” followed by a javascript file (Disk0.js) in the public directory which is called by a scheduled task named “Disk Diagnostics”.

Figure 13: Registry and Scheduled Task for persistence

The function “Loader.Persist” shows the javascript file “Disk0.js” being created and calling Loader.DeployHost at the end. The data retrieved by Loader.DeployHost using “Http.Request” is decoded and saved as an executable. This plugin is known as “PluginHost” and provides Valak with the ability to download additional plugins, making Valak more sophisticated than standard loaders. Notable additional plugins retrieved by Valak include “Exchgrabber” and “Clientgrabber” which target businesses by harvesting emails for ‘Thread Hijacking’ and used for stealing email credentials, respectively.

Figure 14: Loader.Persist function calling Loader.DeployHost

Figure 15: PluginHost Plugin being retrieved to further expand Valak’s capabilities

Conclusion

Valak has evolved from being a loader to a sophisticated piece of malware able to update and expand its capabilities. Malspam distributing malicious Word Documents delivering Valak is likely to continue.

CYDERES recommends that organizations conduct user-awareness training to educate users on commonly utilized phishing techniques and how to identify them. Common indicators that could indicate a phishing attempt include mismatched sender and reply-to addresses, a reply to an old email thread, grammatical errors or spelling mistakes, generic subjects or greetings, and emails that contain unsolicited documents. Additionally, organizations are advised to ensure that all security patches, especially those relating to Microsoft Windows, are applied as soon as they become available.

To become part of customer stories of breaches prevented, compliance achieved, costs slashed, technology optimized, or other real-world tales of digital transformation, take advantage of EDR solutions with CYDERES. If you are interested in talking more about how you can take advantage of EDR solutions with CYDERES, fill out the form at the bottom of the page, and we can connect you with an expert to help you find the right solution for your organization.

ATT&CK

Initial Access

Phishing attachment – ATT&CK ID: T1193

Execution

Regsvr32 – ID: T1117 1

User Execution – ID: T1204

Scripting – ID: T1064

Defense Evasion

Modify Registry – ID: T1112

Deobfuscate/Decode Files or Information – ATT&CK ID: T1140

Process Injection – ID: T1055

Command and Control

Remote File Copy – ID: T1105

Persistence

Schedule Task – ID: T1053

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – ID: T1547.001

References:

https://www.proofpoint.com/us/daily-ruleset-update-summary-20191022

https://twitter.com/luc4m/status/1265194192768315392

https://www.virustotal.com/gui/domain/2zvdoq8grm7vwed20-zz.com/relations

https://urlscan.io/search/#2zvdoq8grm7vwed20-zz.com

IOCs:

0aa589d6a1ddbf20647af5ceff898d92b72e6ea4d1c79f658bcb6d0213b71d95

8b25aa9582427a476c2e5b66cb00d59946e07021b9708571bb9187cb3d98917a

4c0d7b112dfd99c751a85ad9539152c413ede7e5d976f75ae13a8b46ebf53e66

CNAP

Cloud Native Anayltics Platform

GSOC

Global Security Operations Center

EMDR

Enterprise Managed Detection & Response

RTaaS

Red Team-as-Service

SIRT

Security Incident Response Team

CLOUD

Cloud Security

ITDR

Insider Threat Detection & Response

Overview

Our Unique Approach

IAM

Identity & Access Management

CRC

Cyber Risk & Compliance

EA

Enterprise Architecture

STAFF

Strategic Staffing

LAB

Technology Lab

Cyderes: The New Powerhouse in Managed Cybersecurity

Actionable Security Operations Tools for Educational Institutions

Google Cloud Security Talks – Fireside Chat Replay

CYDERES’s First Code-a-Thon: Collaboration and Competition