Back to Newsroom

Cybereason Discovers Valak Malware, an Evasive and Sophisticated Threat to Enterprises in the United States and Germany

May 28, 2020

Cybereason, creators of the award-winning Cyber Defense Platform,today unveiled new research from its Nocturnus Research team. Titled Valak: More than Meets the Eye, the report is an investigation into an info stealing, data siphoning malware hitting hundreds of enterprises in the United States and Germany. 

The sophisticated malware, discovered in late 2019, collects and steals sensitive information from the Microsoft Exchange mail system, including credentials and the domain certificate and uses evasive techniques to avoid detection and has evolved from being a malware loader into an information stealer. 

To date, more than 30 versions of the malware have been found, revealing tremendous improvements in a very short period of time. Valak contains a fileless stage in which it uses the registry to store different components, it collects user, machine, and network information from infected hosts, can check the geo-location of the victim’s machine and take screenshots of infected machines. 

“Over the course of six months, Valak’s developers made tremendous progress and released more than 30 versions of the malware. Each time, they extended the malware’s capabilities and added evasive techniques to improve its stealthlike capabilities. Valak has at least six plugin components that enable attackers to obtain sensitive information from its victims. The threat actor behind Valak is collaborating with other criminals across the E-Crime ecosystem to create an even more dangerous piece of malware,” said Assaf Dahan, Senior Director, Head of Threat Research, Cybereason. 

Other Key Findings:

Targeting Enterprises: More recent versions of Valak target Microsoft Exchange servers to steal enterprise mailing information and passwords along with the enterprise certificate. This has the potential to access critical enterprise accounts, causing damage to organizations, brand degradation, and ultimately a loss of consumer trust. 

With a Rich Modular Architecture: Valak’s basic capabilities are extended with a number of plugin components for reconnaissance and information stealing. 

Using Fast Development Cycles: Valak has evolved from a loader to a sophisticated, multi-stage modular malware that collects plugins from its C2 server to expand its capabilities. The Cybereason Nocturnus team has observed over 30 different versions in about six months.

Designed for Stealth: Valak uses advanced evasive techniques like ADS and hiding components in the registry. In addition, over time the developers of Valak chose to abandon using PowerShell, which can be detected and prevented by modern security products. 

About Cybereason

Cybereason, creators of the leading Cyber Defense Platform, gives the advantage back to the defender through a completely new approach to cybersecurity. Cybereason offers endpoint prevention, detection and response and active monitoring. The solution delivers multi-layered endpoint prevention by leveraging signature and signatureless techniques to prevent known and unknown threats in conjunction with behavioral and deception techniques to prevent ransomware and fileless attacks. Cybereason is a privately held, international company, headquartered in Boston, MA with customers in more than 30 countries. 

Media Contacts: 

Bill Keeler

Senior Director, Global Public Relations


(929) 259-3261