Executive Summary
Valak was first discovered in 2019 as a malware loader and information stealer. Fishtech has seen an increase in thread hijacking being used by Valak threat actors to entice end users into clicking on phishing URLs or opening malicious documents. Valak leverages a plugin responsible for harvesting emails to further spread the malware. The following blog will examine how Valak is delivered and its capabilities.
Background
Valak was publicly recorded in October 2019 when two rules to detect Valak were created on Proofpoint’s ET Pro ruleset. The malspam network delivering Valak, or Shathak as Twitter labels it, has been seen targeting English and German-speaking businesses. Valak has evolved from acting as a loader to becoming a sophisticated, multistage piece of malware able to update itself and expand its capabilities.
Valak Delivery Method
The malspam delivering Valak uses existing email threads to increase the likelihood of the victim opening the attachment. To bypass email security, the attachments are password protected. This approach also hinders any automated sandbox analysis used to detonate suspicious attachments.
Figure 1: Email reply with password protected attachment
There are several features in this email that should arouse suspicion:
- The zip file attached to the email contains a 5-character password
- Sending the password on the same email usually means the threat actor is using this as a way to bypass antivirus or email filtering
- The email appears to be a reply to an email sent 9 months ago.
- The word ‘attached’ is misspelled “attach_ed
- A mismatch between the sender email and sender display name
Figure 2: Zip file containing a Microsoft Word Document
Attempting to open the file leads to a window prompt requesting a password.
Figure 3: Enter Password Window
Analyzing the document using ViperMonkey (a VBA Emulation engine) provides the following Summary of action carried out by the macro code:
Figure 4: Vipermonkey results for material06.20.doc
Examining the results show that the Macro ‘autoopen’ runs each time the victim opens the document. The API function ‘URLDownloadToFile’ is used to retrieve a file with a .cab extension. Once the file gap5.cab has been downloaded, it’s saved as 44312539.dat in the Directory c:\programdata. Regsvr32 is then used to run the 44312539.dat file.
As malware authors constantly change their tactics, it is always a good idea to verify analysis using multiple tools. To manually examine the Macros of the document, please see a previous blog here.
Similar URLs have been seen in URLhaus, urlscan.io and VirusTotal Intelligence. All the listed URLs are associated with Valak.
Figure 5: Download url listed in URLhaus
Opening the document in a virtual machine shows a message requesting the victim to enable macros. If macros were enabled for all documents, the file gap5.cab would have been downloaded automatically upon opening the document.
Figure 6: Microsoft Word Document requesting to enable Macros
After enabling macros, the Valak DLL is downloaded and saved to the C:\ProgramData directory.
Figure 7: Valak Dll saved to ProgramData directory
Regsvr32 is then used to run the Valak Dll. A window will confirm if the file was properly executed. Several versions of Windows failed to execute the file properly. The following screenshot was retrieved from a Windows 10 machine that executed the malware properly.
Figure 8: Pop up window where the Valak Dll was run
As shown below, the malware failed to run on a Windows 8 machine.
Figure 9: Pop up window showing file was not able to run
Once the Valak Dll is run, the file iVIwVADQD.eLxan is created in the “public” user directory and executed.
Figure10: Javascript configuration file
Figure 11: Process execution after enabling Macros
Additionally, placeholder, expired and legitimate domains can be seen in the contents of the configuration file along with the C2s, which are likely included to complicate manual static analysis. The legitimate domains are registered to Microsoft and Facebook:
- vo.msecnd[.]net – Microsoft
- msnbot-207-46-194-33.search.msn[.]com – Microsoft
- atdmt[.]com – Facebook
Placeholder domains that were never registered might be used in the future. Expired domains might have been C2s in the past:
- Knockoutlights[.]com – Domain Creation Date May 3, 2019
- Expired on Sunday, May 3, 2020
- d0d0f3d189430[.]com – No current IP address and appears it has not been registered
This leaves the following C2s:
- d0d0abee1d18255e[.]com
- Creation Date: 2020-06-18T12:32:43Z
- Current IP: 22.26[.]248
- Web Server Location: Portugal
- Organicgreensfl[.]com
- Domain Creation Date: June 4, 2020
- IP Address: 106.18[.]130
- Web Server Location: Germany
- a-zcorner[.]com
- Domain Creation Date: June 1, 2020
- IP Address: 119.156[.]128
- Web Server Location: Russia
The screenshot below shows the software signature, software version, and plain text variable names and values. As of this writing, Valak has evolved to using variable names and values with encoded strings.
Figure 12: Contents of configuration file (Part of the script)
Capabilities
The main purpose of the Dll loader is to write the initial scriptlet shown in figure 12 above and detonate the payload. This Dll loader is crypted and the crypter reconstructs the code placing it into memory. It will then perform multiple XOR loops and decompression which results in the unpacked Dll.
Valak script features:
- Create persistence in the victim’s machine
- Store Valak configuration in the registry
- Retrieve the “PluginHost” plugin
- Retrieve Client scripts
To create persistence, Valak creates entries under the registry key “HKEY_CURRENT_USER\\Software\\ApplicationContainer\\Appsw64\\” followed by a javascript file (Disk0.js) in the public directory which is called by a scheduled task named “Disk Diagnostics”.
Figure 13: Registry and Scheduled Task for persistence
The function “Loader.Persist” shows the javascript file “Disk0.js” being created and calling Loader.DeployHost at the end. The data retrieved by Loader.DeployHost using “Http.Request” is decoded and saved as an executable. This plugin is known as “PluginHost” and provides Valak with the ability to download additional plugins, making Valak more sophisticated than standard loaders. Notable additional plugins retrieved by Valak include “Exchgrabber” and “Clientgrabber” which target businesses by harvesting emails for ‘Thread Hijacking’ and used for stealing email credentials, respectively.
Figure 14: Loader.Persist function calling Loader.DeployHost
Figure 15: PluginHost Plugin being retrieved to further expand Valak’s capabilities
Conclusion
Valak has evolved from being a loader to a sophisticated piece of malware able to update and expand its capabilities. Malspam distributing malicious Word Documents delivering Valak is likely to continue.
CYDERES recommends that organizations conduct user-awareness training to educate users on commonly utilized phishing techniques and how to identify them. Common indicators that could indicate a phishing attempt include mismatched sender and reply-to addresses, a reply to an old email thread, grammatical errors or spelling mistakes, generic subjects or greetings, and emails that contain unsolicited documents. Additionally, organizations are advised to ensure that all security patches, especially those relating to Microsoft Windows, are applied as soon as they become available.
To become part of customer stories of breaches prevented, compliance achieved, costs slashed, technology optimized, or other real-world tales of digital transformation, take advantage of EDR solutions with CYDERES. If you are interested in talking more about how you can take advantage of EDR solutions with CYDERES, fill out the form at the bottom of the page, and we can connect you with an expert to help you find the right solution for your organization.
ATT&CK
Initial Access
Phishing attachment – ATT&CK ID: T1193
Execution
Regsvr32 – ID: T1117 1
User Execution – ID: T1204
Scripting – ID: T1064
Defense Evasion
Modify Registry – ID: T1112
Deobfuscate/Decode Files or Information – ATT&CK ID: T1140
Process Injection – ID: T1055
Command and Control
Remote File Copy – ID: T1105
Persistence
Schedule Task – ID: T1053
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – ID: T1547.001
References:
https://www.proofpoint.com/us/daily-ruleset-update-summary-20191022 |
https://twitter.com/luc4m/status/1265194192768315392 |
https://www.virustotal.com/gui/domain/2zvdoq8grm7vwed20-zz.com/relations |
https://urlscan.io/search/#2zvdoq8grm7vwed20-zz.com |
IOCs:
0aa589d6a1ddbf20647af5ceff898d92b72e6ea4d1c79f658bcb6d0213b71d95 |
8b25aa9582427a476c2e5b66cb00d59946e07021b9708571bb9187cb3d98917a |
4c0d7b112dfd99c751a85ad9539152c413ede7e5d976f75ae13a8b46ebf53e66 |