Cyberreason Nocturnus Experts toldthat the Valak bootloader discovered in 2019 has now turned into a full-fledged info-dealer and attacks companies in the USA and Germany. Researchers write that over the past six months, the malware has received more than 20 updates and now poses a complete and independent threat.
To securely gain a foothold in a compromised system, the malware makes changes to the registry and creates a scheduled task. After that, Valak proceeds to download and run additional modules that are responsible for detecting and stealing data.
The two main payloads (project.aspx and a.aspx) perform different functions. The first manages registry keys, task scheduling and malicious activity, and the second (internal name PluginHost.exe) is an executable file for managing additional malware components.
The ManagedPlugin module has a variety of functions: collects system information (local and domain data); has an Exchgrabber function, the purpose of which is to penetrate Microsoft Exchange by stealing credentials and domain certificates; has a geolocation verifier and screenshot capture function; contains a Netrecon network intelligence tool.
“The theft of confidential data gives attackers access to the user of the internal domain, that is, access to the organization’s internal mail services, as well as access to the organization’s domain certificate.
With systeminfo, attackers can determine which user is the domain administrator. This creates a dangerous combination of confidential data leakage and large-scale potential compromise for cyber espionage or data theft. This demonstrates that the primary goals of this malvari are primarily enterprises, ”conclude the experts.