This New Malware Is Hitting Exchange Servers To Steal Info

June 16, 2020

Written by wukovits

In late 2019, a new strain of malware called “Valak” was detected. In the six months that followed its initial discovery in the wild, more than 30 variants of the code were detected.

Initially, Valak was classified as a simple loading program.

As various groups have tinkered with the code, it has morphed into a much more significant threat, and is now capable of stealing a wide range of user information. That is, in addition to retaining its original capabilities as a loader.

Researchers from Cybereason have cataloged the recent changes to the code. They found it to be capable of taking screenshots, installing other malicious payloads, and infiltrating Microsoft Exchange servers, which seems to be what it excels at.

Most Valak campaigns begin with an email blast that delivers a Microsoft Word document to unwitting recipients. These documents contain malicious macro codes, which is an old, time-tested strategy.

If anyone clicks on the document and enables macros, that action will trigger the installation of the malware. Chief among the executables run is a file called “PluginHost.exe,” which in turn, runs a number of files, depending on how the Valak software is configured. There are several possibilities here including: Systeminfo, IPGeo, Procinfo, Netrecon, Screencap, and Exchgrabber.

It is this last one that is used on Microsoft Exchange servers and is capable of infiltrating a company’s email system and stealing credentials.

It is the extreme modularity of the malware’s design that makes it a significant threat worth paying close attention to. Cybereason found more than 50 different command and control servers in the wild, each running a different strain of the software, and each with wildly different capabilities. However, they all share a common infrastructure and architecture.

Stay on the alert for this one. We’ll almost certainly be hearing more about it in the weeks and months ahead.

Used with permission from Article Aggregator

Bayou Tech

We provide solutions for your business. Find out how we can help.

Related Articles

Major Cyber Attack at OMV

Louisiana’s Office of Motor Vehicles (OMV) is one of a still undetermined number of government entities, major businesses, and organizations to be affected by an unprecedented Data Breach.There is no indication at this time that cyber attackers who breached MOVEit...

New Graphene Technology May Increase Hard Drive Storage

HDDs are old, well understood technology. They haven't changed much in recent years. In fact, increasingly, people are writing them off, preferring SSDs for their greater speed and smaller size, even though HDDs are less expensive. The clever folks at the University...

Some Amazon Device Features May Have Security Risks

Have you heard of Amazon Sidewalk? If not, it's definitely something you should be aware of. Depending on your point of view, the new feature, which was enabled by default on a wide range of Amazon devices by default on June 8 of this year (2021) is either...

Send us a message

Your message was sent.