Valak
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 |
Valak can use |
|
| Enterprise | T1555 | .004 | 从密码存储中获取凭证: Windows Credential Manager |
Valak can use a .NET compiled module named exchgrabber to enumerate credentials from the Credential Manager.[3] |
| Enterprise | T1112 | 修改注册表 |
Valak has the ability to modify the Registry key |
|
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Valak has the ability to decode and decrypt downloaded files.[1][2] |
|
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell |
Valak has used PowerShell to download additional modules.[1] |
| .007 | 命令与脚本解释器: JavaScript |
Valak can execute JavaScript containing configuration data for establishing persistence.[1] |
||
| Enterprise | T1008 | 回退信道 | ||
| Enterprise | T1104 | 多阶段信道 |
Valak can download additional modules and malware capable of using separate C2 channels.[2] |
|
| Enterprise | T1113 | 屏幕捕获 |
Valak has the ability to take screenshots on a compromised host.[1] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols | |
| Enterprise | T1132 | .001 | 数据编码: Standard Encoding | |
| Enterprise | T1552 | .002 | 未加密凭证: Credentials in Registry |
Valak can use the clientgrabber module to steal e-mail credentials from the Registry.[3] |
| Enterprise | T1012 | 查询注册表 |
Valak can use the Registry for code updates and to collect credentials.[2] |
|
| Enterprise | T1027 | 混淆文件或信息 |
Valak has the ability to base64 encode and XOR encrypt strings.[1][2][3] |
|
| .002 | Software Packing | |||
| .011 | Fileless Storage |
Valak has the ability to store information regarding the C2 server and downloads in the Registry key |
||
| Enterprise | T1204 | .002 | 用户执行: Malicious File |
Valak has been executed via Microsoft Word documents containing malicious macros.[1][2][3] |
| Enterprise | T1114 | .002 | 电子邮件收集: Remote Email Collection |
Valak can collect sensitive mailing information from Exchange servers, including credentials and the domain certificate of an enterprise.[1] |
| Enterprise | T1218 | .010 | 系统二进制代理执行: Regsvr32 | |
| Enterprise | T1082 | 系统信息发现 |
Valak can determine the Windows version and computer name on a compromised host.[1][3] |
|
| Enterprise | T1033 | 系统所有者/用户发现 | ||
| Enterprise | T1016 | 系统网络配置发现 |
Valak has the ability to identify the domain and the MAC and IP addresses of an infected machine.[1] |
|
| Enterprise | T1119 | 自动化收集 |
Valak can download a module to search for and build a report of harvested credential data.[3] |
|
| Enterprise | T1087 | .001 | 账号发现: Local Account | |
| .002 | 账号发现: Domain Account |
Valak has the ability to enumerate domain admin accounts.[1] |
||
| Enterprise | T1518 | .001 | 软件发现: Security Software Discovery |
Valak can determine if a compromised host has security products installed.[1] |
| Enterprise | T1105 | 输入工具传输 |
Valak has downloaded a variety of modules and payloads to the compromised host, including IcedID and NetSupport Manager RAT-based malware.[2][1] |
|
| Enterprise | T1057 | 进程发现 |
Valak has the ability to enumerate running processes on a compromised host.[1] |
|
| Enterprise | T1559 | .002 | 进程间通信: Dynamic Data Exchange | |
| Enterprise | T1041 | 通过C2信道渗出 |
Valak has the ability to exfiltrate data over the C2 channel.[1][2][3] |
|
| Enterprise | T1566 | .001 | 钓鱼: Spearphishing Attachment |
Valak has been delivered via spearphishing e-mails with password protected ZIP files.[2] |
| .002 | 钓鱼: Spearphishing Link | |||
| Enterprise | T1564 | .004 | 隐藏伪装: NTFS File Attributes |
Valak has the ability save and execute files as alternate data streams (ADS).[1][2][3] |
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task |
Valak has used scheduled tasks to execute additional payloads and to gain persistence on a compromised host.[1][2][3] |
Groups That Use This Software
References
- Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
- Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.
- Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020.