Valak Trojan

First observed in late 2019, Valak is a sophisticated modular trojan used in targeted attacks against financial and government organisations throughout Western Europe and North America. Initially used solely as a loader in IcedID and Ursnif campaigns, it appears to have undergone significant changes to improve it's functionality.

Threat ID:: CC-3483
Category:: Trojan
Threat Severity:: Medium
Threat Vector:: Spear phishing
Published:: 3 June 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - All versions

Threat details

Valak is delivered via DOC and DOCX documents containing malicious macros which, when opened, download and execute a DLL file. This DLL in turn drops a JavaScript file containing Valak proper, along with a number of deployment parameters. At the time of publication, it is unclear how the documents are themselves distributed, although it is likely they are delivered in spear-phishing campaigns.

Once installed, Valak will connect to a command and control (C2) server and write two modules to the registry, before creating a scheduled task to ensure persistence. It then executes a secondary JavaScript file which is used to install the modules stored in the registry or any payloads downloaded from the C2 server. The modules themselves are used to collect system and user information, and extract sensitive credentials (Microsoft Exchange administration accounts, domain certificates, etc).

Remediation steps

Type	Step
	To prevent and detect a trojan infection, NHS Digital advises that: Secure configurations are applied to all devices. Security updates are applied at the earliest opportunity. Tamper protection settings in security products are enabled where available. Obsolete platforms are segregated from the rest of the network. IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments. Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts. Administrative accounts are only used for necessary purposes. Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations. Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible. Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Type

Step

To prevent and detect a trojan infection, NHS Digital advises that:

Secure configurations are applied to all devices.
Security updates are applied at the earliest opportunity.
Tamper protection settings in security products are enabled where available.
Obsolete platforms are segregated from the rest of the network.
IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
Administrative accounts are only used for necessary purposes.
Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Main indicators

Valak IoC List 10/06/2020

Last edited: 29 June 2021 12:01 pm