Author: Jeremy Ware
TLP: WHITE
During the week of 4 January, we observed a malspam campaign distributing the Valyria trojan. The emails in this campaign contain malicious Microsoft Office Word documents (DOCs) that display an error message when opened and execute a PowerShell script via Windows Management Instrumentation (WMI).
Threat actor(s) have distributed Valyria via weaponized email attachments, social media, fake Windows updates, third-party programs and pirated content from torrent sites.1
In this campaign, Valyria uses malicious DOC files to distribute additional malware payloads. In other recent campaigns the malware has distributed Emotet,2 although it has also been reported to deliver Agent Tesla, Lokibot, and Kriptik, among others.3
The campaign we observed used a number of seemingly unrelated subject lines and sender data. These subject lines include R:, Re: Francisco Sanchez, Hola, SALES ORDER CONFIRMATION, etc. The sender information also varied; with displayed emails such as Comercial@binarysoul[.]net, jgarratt@spectrumfloor[.]com, info@studiogabaldo[.]it, <Empty>, etc. However, the emails in the campaign all carried an attachment with a single filename of KISL06788466.doc, and the body of the message was always empty.
Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.
Endnotes
- https://lmntrix.com/lab/valyrian-trojan-a-cut-above-the-rest/
- https://blog.talosintelligence.com/2020/02/threat-roundup-0221-0228.html
- https://lmntrix.com/lab/valyrian-trojan-a-cut-above-the-rest/