S0476 Valak
Valak is a multi-stage modular malware that can function as a standalone information stealer or downloader, first observed in 2019 targeting enterprises in the US and Germany.21
| Item | Value |
|---|---|
| ID | S0476 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.3 |
| Created | 19 June 2020 |
| Last Modified | 24 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.001 | Local Account | Valak has the ability to enumerate local admin accounts.2 |
| enterprise | T1087.002 | Domain Account | Valak has the ability to enumerate domain admin accounts.2 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Valak has used HTTP in communications with C2.21 |
| enterprise | T1119 | Automated Collection | Valak can download a module to search for and build a report of harvested credential data.3 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | Valak has used PowerShell to download additional modules.2 |
| enterprise | T1059.007 | JavaScript | Valak can execute JavaScript containing configuration data for establishing persistence.2 |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.004 | Windows Credential Manager | Valak can use a .NET compiled module named exchgrabber to enumerate credentials from the Credential Manager.3 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | Valak has returned C2 data as encoded ASCII.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Valak has the ability to decode and decrypt downloaded files.21 |
| enterprise | T1114 | Email Collection | - |
| enterprise | T1114.002 | Remote Email Collection | Valak can collect sensitive mailing information from Exchange servers, including credentials and the domain certificate of an enterprise.2 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Valak has the ability to exfiltrate data over the C2 channel.213 |
| enterprise | T1008 | Fallback Channels | Valak can communicate over multiple C2 hosts.1 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.004 | NTFS File Attributes | Valak has the ability save and execute files as alternate data streams (ADS).213 |
| enterprise | T1105 | Ingress Tool Transfer | Valak has downloaded a variety of modules and payloads to the compromised host, including IcedID and NetSupport Manager RAT-based malware.12 |
| enterprise | T1559 | Inter-Process Communication | - |
| enterprise | T1559.002 | Dynamic Data Exchange | Valak can execute tasks via OLE.3 |
| enterprise | T1112 | Modify Registry | Valak has the ability to modify the Registry key HKCU\Software\ApplicationContainer\Appsw64 to store information regarding the C2 server and downloads.213 |
| enterprise | T1104 | Multi-Stage Channels | Valak can download additional modules and malware capable of using separate C2 channels.1 |
| enterprise | T1027 | Obfuscated Files or Information | Valak has the ability to base64 encode and XOR encrypt strings.213 |
| enterprise | T1027.002 | Software Packing | Valak has used packed DLL payloads.3 |
| enterprise | T1027.011 | Fileless Storage | Valak has the ability to store information regarding the C2 server and downloads in the Registry key HKCU\Software\ApplicationContainer\Appsw64.213 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | Valak has been delivered via spearphishing e-mails with password protected ZIP files.1 |
| enterprise | T1566.002 | Spearphishing Link | Valak has been delivered via malicious links in e-mail.3 |
| enterprise | T1057 | Process Discovery | Valak has the ability to enumerate running processes on a compromised host.2 |
| enterprise | T1012 | Query Registry | Valak can use the Registry for code updates and to collect credentials.1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | Valak has used scheduled tasks to execute additional payloads and to gain persistence on a compromised host.213 |
| enterprise | T1113 | Screen Capture | Valak has the ability to take screenshots on a compromised host.2 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | Valak can determine if a compromised host has security products installed.2 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.010 | Regsvr32 | Valak has used regsvr32.exe to launch malicious DLLs.21 |
| enterprise | T1082 | System Information Discovery | Valak can determine the Windows version and computer name on a compromised host.23 |
| enterprise | T1016 | System Network Configuration Discovery | Valak has the ability to identify the domain and the MAC and IP addresses of an infected machine.2 |
| enterprise | T1033 | System Owner/User Discovery | Valak can gather information regarding the user.2 |
| enterprise | T1552 | Unsecured Credentials | - |
| enterprise | T1552.002 | Credentials in Registry | Valak can use the clientgrabber module to steal e-mail credentials from the Registry.3 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | Valak has been executed via Microsoft Word documents containing malicious macros.213 |
| enterprise | T1047 | Windows Management Instrumentation | Valak can use wmic process call create in a scheduled task to launch plugins and for execution.3 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0127 | TA551 | 2145 |
References
-
Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Duncan, B. (2021, January 7). TA551: Email Attack Campaign Switches from Valak to IcedID. Retrieved March 17, 2021. ↩
-
Secureworks. (n.d.). GOLD CABIN Threat Profile. Retrieved March 17, 2021. ↩