Rewterz Threat Alert – Valak Malware and the Connection to Gozi Loader

Severity

High

Analysis Summary

The malware Valak is a multi-stage, script-based package that researchers have observed re-using Gozi’s infrastructure. Once installed, Valak captures emails from the system, weaponizes it, and then sends it out in what is known as a “Reply Chain Attack”. The concept behind this form of attack is that users may be trained to recognize phishing emails, but if an incoming email appears to be part of a chain of discussion they were already involved with, their guard may be relaxed. It also means that the attackers do not have to invest time and effort in creating email accounts that look legitimate. As for the confusion with Gozi, in a recent campaign utilizing Valak, the final payload delivery steps were quite similar to a Gozi infection and actually used the same storage server as Gozi attacks had used.

Impact

• Information theft
• Exposure  of sensitive data 

Indicators of Compromise

SHA1

• 435ec42fefc05eba0a8005256c815979877d430a
• 693e681e7be554e50e4ff9bf7cbfe5aeab3fe91f
• e22b404e1fec743f0795cdea8a95337660878860
• dba1337a0a8293b721642b8b45a86352bcdfd04f
• 4d33425d7031284cf5ee323dc616d9f84987dc0d
• 17b74a4c3f43c21504b355b1ffc333280ef4cd74
• 7f58d22d9e95f65170acadd05e324ec2d8ef13f6
• 9be234bf2268f4e055ea59cf7bef76781a36c35c
• 19f481063ca956688824e3cc022b8eedb6dd0bea
• 4ae3ed6c1ab2fe41daf6f650a54dae63684d2064
• 30fd553dedfadc81522adf37e11dfc4039d4ea31

Remediation

• Block all threat indicators at your respective controls.
• Always be suspicious about emails sent by unknown senders.
• Never click on the links/attachments sent by unknown senders.
• Search for IOCs in your environment.