Valak Downloader/InfoStealer Delivers IcedID Banking

Share On Facebook
Share On Twitter
Share On Linkedin

Between 24 June and 1 July, security researcher Brad Duncan reported four malware campaigns that used the Valak malware loader to deliver the IcedID banking trojan. 1,2,3,4

Valak is a sophisticated modular malware that acts as both a malware loader and information stealer (infostealer). It was first observed in late 2019 and quickly evolved, with the creators producing over 30 new versions of the malware in the span of just six months.5 Valak’s modular nature allows the authors to rapidly develop and deploy new malicious code to infected systems in order to expand the malware’s capabilities.

The reports of these Valak campaigns did not specify how the malware was initially distributed, but based on recent reports about Valak’s behavior,6 it is likely that the reported campaigns used a technique known as a “reply chain attack” to deliver the malware via email.

Unlike malicious spam (malspam) techniques that use arbitrary email accounts to indiscriminately deliver malicious emails to a large number of targets, reply chain attacks use hijacked email accounts to send targeted replies to legitimate emails sent to the hijacked account. This makes the malicious emails much harder to detect because they appear to be legitimate responses to existing conversations sent by accounts the recipient already knows.

The Valak attack chain begins when the victim downloads a password-protected ZIP file from an email attachment or link7 and extracts it using a password contained in the body of the email. The extracted file is a malicious Microsoft Word document that instructs the victim to enable macros in order to view its contents.

When the victim does so, the macros within the document contact a PHP-based download proxy to retrieve the initial Valak dynamic-link library (DLL) payload. This behavior is similar to certain versions of Ursnif (a.k.a. Gozi) and some security solutions may incorrectly identify it as such. After downloading the Valak DLL payload, the macros use the Windows Register Server (regsrv32.exe) to register and execute it.

Infoblox’s full report on this instance of the malware will be available soon on our Threat Intelligence Reports page.

Endnotes

  1. http://malware-traffic-analysis.net/2020/06/24/index.html
  2. http://malware-traffic-analysis.net/2020/06/26/index.html
  3. http://malware-traffic-analysis.net/2020/06/30/index.html
  4. http://malware-traffic-analysis.net/2020/07/01/index.html
  5. https://www.cybereason.com/blog/valak-more-than-meets-the-eye
  6. https://labs.sentinelone.com/valak-malware-and-the-connection-to-gozi-loader-confcrew/
  7. https://twitter.com/malware_traffic/status/1278481732413657088

 

Labels:

Infoblox Threat Intel

Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access give us a backstage pass to the internet's inner workings. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox DNS Detection and Response solutions, so customers automatically get the benefits of it, along with ridiculously low false positive rates.

View All Posts

You might also be interested in

You might also be interested in

×