Skip to main content

This New Malware Is Hitting Exchange Servers To Steal Info

By June 16, 2020May 5th, 2022Cybersecurity

In late 2019, a new strain of malware called “Valak” was detected. In the six months that followed its initial discovery in the wild, more than 30 variants of the code were detected.

Initially, Valak was classified as a simple loading program.

As various groups have tinkered with the code, it has morphed into a much more significant threat, and is now capable of stealing a wide range of user information. That is, in addition to retaining its original capabilities as a loader.

Researchers from Cybereason have cataloged the recent changes to the code. They found it to be capable of taking screenshots, installing other malicious payloads, and infiltrating Microsoft Exchange servers, which seems to be what it excels at.

Most Valak campaigns begin with an email blast that delivers a Microsoft Word document to unwitting recipients. These documents contain malicious macro codes, which is an old, time-tested strategy.

If anyone clicks on the document and enables macros, that action will trigger the installation of the malware. Chief among the executables run is a file called “PluginHost.exe,” which in turn, runs a number of files, depending on how the Valak software is configured. There are several possibilities here including: Systeminfo, IPGeo, Procinfo, Netrecon, Screencap, and Exchgrabber.

It is this last one that is used on Microsoft Exchange servers and is capable of infiltrating a company’s email system and stealing credentials.

It is the extreme modularity of the malware’s design that makes it a significant threat worth paying close attention to. Cybereason found more than 50 different command and control servers in the wild, each running a different strain of the software, and each with wildly different capabilities. However, they all share a common infrastructure and architecture.

Stay on the alert for this one. We’ll almost certainly be hearing more about it in the weeks and months ahead.

Chris Forte

Chris Forte, President and CEO of Olmec Systems, has been in the MSP workspace for the past 25 years. Chris earned his Master’s Degree from West Virginia University, graduating Magna Cum Laude. He was a past member of the Entrepreneurs’ Organization, a current member of the New Jersey Power Partners and Executive Association of New Jersey, where he has previously served on its board of directors. In his spare time, Chris enjoys traveling with his family. He also admits to being a struggling golfer and avid watcher of college football and basketball. He currently lives in Boonton Township, NJ with his wife, two daughters, son, and black lab Luna.