Valak

Valak is a multi-stage modular malware that can function as a standalone or downloader, first observed in 2019 targeting enterprises in the US and Germany.[1]

ID: S0476
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 19 June 2020
Last Modified: 24 June 2020

Techniques Used

Domain ID Name Use
Enterprise T1087 .002 Account Discovery: Domain Account

Valak has the ability to enumerate domain admin accounts.[1]

.001 Account Discovery: Local Account

Valak has the ability to enumerate local admin accounts.[1]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Valak has used HTTP in communications with C2.[1]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Valak has used PowerShell to download additional modules.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Valak has the ability to decode and decrypt downloaded files.[1]

Enterprise T1114 .002 Email Collection: Remote Email Collection

Valak can collect sensitive mailing information from Exchange servers, including credentials and the domain certificate of an enterprise.[1]

Enterprise T1041 Exfiltration Over C2 Channel

Valak has the ability to exfiltrate data over the C2 channel.[1]

Enterprise T1564 .004 Hide Artifacts: NTFS File Attributes

Valak has the ability save and execute files as alternate data streams (ADS).[1]

Enterprise T1105 Ingress Tool Transfer

Valak has downloaded a variety of modules and payloads to the compromised host, including IcedID and Ursnif.[1]

Enterprise T1112 Modify Registry

Valak has the ability to modify the Registry key HKCU\Software\ApplicationContainer\Appsw64 to store information regarding the C2 server and downloads.[1]

Enterprise T1027 Obfuscated Files or Information

Valak has the ability to base64 encode and XOR encrypt strings.[1]

Enterprise T1057 Process Discovery

Valak has the ability to enumerate running processes on a compromised host.[1]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Valak has used scheduled tasks to execute additional payloads and to gain persistence on a compromised host.[1]

Enterprise T1113 Screen Capture

Valak has the ability to take screenshots on a compromised host.[1]

Enterprise T1218 .010 Signed Binary Proxy Execution: Regsvr32

Valak has used regsvr32.exe to launch malicious DLLs.[1]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Valak can determine if a compromised host has security products installed.[1]

Enterprise T1082 System Information Discovery

Valak can determine the Windows version on a compromised host.[1]

Enterprise T1016 System Network Configuration Discovery

Valak has the ability to identify the MAC and IP addresses of an infected machine.[1]

Enterprise T1033 System Owner/User Discovery

Valak can gather information regarding the user.[1]

Enterprise T1204 .002 User Execution: Malicious File

Valak has been executed via Microsoft Word documents containing malicious macros.[1]

References