Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Valak

Valak is a multi-stage modular malware that can function as a standalone information stealer or downloader, first observed in 2019 targeting enterprises in the US and Germany.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)
ID: S0476
Type: MALWARE
Platforms: Windows
Version: 1.3
Created: 19 Jun 2020
Last Modified: 24 Mar 2023

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

Valak has the ability to enumerate local admin accounts.(Citation: Cybereason Valak May 2020)

.002 Account Discovery: Domain Account

Valak has the ability to enumerate domain admin accounts.(Citation: Cybereason Valak May 2020)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Valak has used HTTP in communications with C2.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Valak has used PowerShell to download additional modules.(Citation: Cybereason Valak May 2020)

.007 Command and Scripting Interpreter: JavaScript

Valak can execute JavaScript containing configuration data for establishing persistence.(Citation: Cybereason Valak May 2020)

Enterprise T1555 .004 Credentials from Password Stores: Windows Credential Manager

Valak can use a .NET compiled module named exchgrabber to enumerate credentials from the Credential Manager.(Citation: SentinelOne Valak June 2020)

Enterprise T1132 .001 Data Encoding: Standard Encoding

Valak has returned C2 data as encoded ASCII.(Citation: Unit 42 Valak July 2020)

Enterprise T1114 .002 Email Collection: Remote Email Collection

Valak can collect sensitive mailing information from Exchange servers, including credentials and the domain certificate of an enterprise.(Citation: Cybereason Valak May 2020)

Enterprise T1564 .004 Hide Artifacts: NTFS File Attributes

Valak has the ability save and execute files as alternate data streams (ADS).(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)(Citation: SentinelOne Valak June 2020)

Enterprise T1559 .002 Inter-Process Communication: Dynamic Data Exchange

Valak can execute tasks via OLE.(Citation: SentinelOne Valak June 2020)

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

Valak has used packed DLL payloads.(Citation: SentinelOne Valak June 2020)

.011 Obfuscated Files or Information: Fileless Storage

Valak has the ability to store information regarding the C2 server and downloads in the Registry key HKCU\Software\ApplicationContainer\Appsw64.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)(Citation: SentinelOne Valak June 2020)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Valak has been delivered via spearphishing e-mails with password protected ZIP files.(Citation: Unit 42 Valak July 2020)

.002 Phishing: Spearphishing Link

Valak has been delivered via malicious links in e-mail.(Citation: SentinelOne Valak June 2020)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Valak has used scheduled tasks to execute additional payloads and to gain persistence on a compromised host.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)(Citation: SentinelOne Valak June 2020)

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Valak can determine if a compromised host has security products installed.(Citation: Cybereason Valak May 2020)

Enterprise T1218 .010 System Binary Proxy Execution: Regsvr32

Valak has used regsvr32.exe to launch malicious DLLs.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)

Enterprise T1552 .002 Unsecured Credentials: Credentials in Registry

Valak can use the clientgrabber module to steal e-mail credentials from the Registry.(Citation: SentinelOne Valak June 2020)

Enterprise T1204 .002 User Execution: Malicious File

Valak has been executed via Microsoft Word documents containing malicious macros.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)(Citation: SentinelOne Valak June 2020)

Groups That Use This Software

ID Name References
G0127 TA551

(Citation: Cybereason Valak May 2020) (Citation: Unit 42 Valak July 2020) (Citation: Unit 42 TA551 Jan 2021) (Citation: Secureworks GOLD CABIN)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.