Between 24 June and 1 July, security researcher Brad Duncan reported four malware campaigns that used the Valak malware loader to deliver the IcedID banking trojan. 1,2,3,4
Valak is a sophisticated modular malware that acts as both a malware loader and information stealer (infostealer). It was first observed in late 2019 and quickly evolved, with the creators producing over 30 new versions of the malware in the span of just six months.5 Valak’s modular nature allows the authors to rapidly develop and deploy new malicious code to infected systems in order to expand the malware’s capabilities.
The reports of these Valak campaigns did not specify how the malware was initially distributed, but based on recent reports about Valak’s behavior,6 it is likely that the reported campaigns used a technique known as a “reply chain attack” to deliver the malware via email.
Unlike malicious spam (malspam) techniques that use arbitrary email accounts to indiscriminately deliver malicious emails to a large number of targets, reply chain attacks use hijacked email accounts to send targeted replies to legitimate emails sent to the hijacked account. This makes the malicious emails much harder to detect because they appear to be legitimate responses to existing conversations sent by accounts the recipient already knows.
The Valak attack chain begins when the victim downloads a password-protected ZIP file from an email attachment or link7 and extracts it using a password contained in the body of the email. The extracted file is a malicious Microsoft Word document that instructs the victim to enable macros in order to view its contents.
When the victim does so, the macros within the document contact a PHP-based download proxy to retrieve the initial Valak dynamic-link library (DLL) payload. This behavior is similar to certain versions of Ursnif (a.k.a. Gozi) and some security solutions may incorrectly identify it as such. After downloading the Valak DLL payload, the macros use the Windows Register Server (regsrv32.exe) to register and execute it.
Infoblox’s full report on this instance of the malware will be available soon on our Threat Intelligence Reports page.