By Nick Biasini, Edmund Brumaghin and Mariano Graziano.

Threat summary

• Attackers are usually distributing the Valak malware loved ones around the world actively, with enterprises, specifically, being targeted.
• These campaigns utilize current email threads from compromised accounts to greatly raise success.
• The additional usage of password-protected ZIP files can make a blind spot in security protections.
• The overwhelming most campaigns occurred during the last month or two and targeted organizations in the financial, manufacturing, healthcare and insurance verticals.

Executive summary

Valak is really a modular information-stealer that attackers have deployed to various nations since early-to-mid 2019. While Valak includes a robust function set, it is noticed alongside secondary malware payloads often, including Gozi/Ursnif and IcedID. This malware is normally shipped via malicious spam email promotions that leverage password-safeguarded ZIP archives to evade recognition by email security options that may examine the contents of email messages entering corporate systems. While previous analysis centered on campaigns targeting america and Germany, Cisco Talos has noticed ongoing campaigns targeting additional geographic regions including nations in North America, SOUTH USA, Europe and likely other people. The e-mail campaigns distributing downloaders connected with Valak also seem to be leveraging existing e-mail threads to lend credibility to the email messages and raise the likelihood that victims will open up document attachments and initiate the Valak illness process.

Read More >>