By Nick Biasini, Edmund Brumaghin and Mariano Graziano.

Threat summary

  • Attackers are actively distributing the Valak malware family around the globe, with enterprises, in particular, being targeted.
  • These campaigns make use of existing email threads from compromised accounts to greatly increase success.
  • The additional use of password-protected ZIP files can create a blind spot in security protections.
  • The overwhelming majority of campaigns occurred over the last couple of months and targeted organizations in the financial, manufacturing, health care and insurance verticals.

Executive summary

Valak is a modular information-stealer that attackers have deployed to various countries since early-to-mid 2019. While Valak features a robust feature set, it is often observed alongside secondary malware payloads, including Gozi/Ursnif and IcedID. This malware is typically delivered via malicious spam email campaigns that leverage password-protected ZIP archives to evade detection by email security solutions that may inspect the contents of emails entering corporate networks. While previous analysis focused on campaigns targeting the United States and Germany, Cisco Talos has observed ongoing campaigns targeting other geographic regions including countries in North America, South America, Europe and likely others. The email campaigns distributing downloaders associated with Valak also appear to be leveraging existing email threads to lend credibility to the emails and increase the likelihood that victims will open file attachments and initiate the Valak infection process.

Read More >> 


Talos Group

Talos Security Intelligence & Research Group