Hackers often plant their malicious software on computers in stages. One piece of code can be a foothold onto a network, another delivers the malware, and yet another executes it to steal or manipulate data.
But looks can be deceiving. The same code used as a staging tool in one attack might be the tip of the spear in another. For targeted organizations, spotting the difference can mean saving your data.
That’s the case with a malicious program that has been used in hacking attempts against multiple economic sectors in the U.S. and Germany in the last six months, according to research published Thursday by security company Cybereason.
About 150 organizations in the financial, retail, manufacturing, and health care sectors have been targeted by the Valak malware since it emerged late last year, the researchers said. More than just a “loader” that delivers malicious code, Valak can also be used to siphon off data from enterprise networks, they concluded. In more than two-thirds of the attacks, Valak was still being delivered with other pieces of malware.
“It means that every infection should be properly investigated, carefully looking for indicators of other malware on the infected machines,” said Assaf Dahan, Cybereason’s head of threat research.
Independent analysts have also noticed the Valak campaigns in Germany and the U.S., reporting that the code has been used to deploy financial-data-stealing malware.
It’s unclear how successful Valak’s operators have been in stealing data. The hackers managed to phish their way into numerous organizations, but Dahan claimed his company has been blocking the data-stealing stage of the attack for customers.
Valak is undergoing the fastidious maintenance that marks new entrants onto the cybercriminal scene. Whoever is behind the code — Cybereason researchers don’t have a clear idea — has tweaked it some 30 times in the last six months. A recent version is designed to target Microsoft Exchange servers. That level of network access could lead to more disruptive attacks involving ransomware, according to Dahan.
The hackers have also abandoned the open-source PowerShell program to download their code on victim machines in favor of a subtler application — a sign they’re looking for “ways to improve their evasion techniques,” Cybereason researchers wrote in a blog post.
Vitali Kremez, a cybersecurity analyst who also has tracked the Valak malware, said the Russian speakers who operate it use a complex spamming campaign — “replying all” in email threads from compromised accounts — to distribute their malware.
“It allows them to reach more victims based on the e-mail-thread trust relationship, thereby increasing the risk of successful Valak installs,” said Kremez, a strategic adviser to cybersecurity company SentinelOne.
In their hunt for Valak’s developers, researchers will be on the lookout for any signs of collaboration with other criminal groups.
“The extended malware capabilities suggest that Valak can be used independently with or without teaming up with other malware,” the Cybereason analysts wrote.