Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент Valak
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
Valak
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Valak

Valak is a multi-stage modular malware that can function as a standalone information stealer or downloader, first observed in 2019 targeting enterprises in the US and Germany.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)
ID: S0476
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 19 Jun 2020
Last Modified: 23 Nov 2020

Techniques Used
Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

Valak has the ability to enumerate local admin accounts.(Citation: Cybereason Valak May 2020)
.002 Account Discovery: Domain Account

Valak has the ability to enumerate domain admin accounts.(Citation: Cybereason Valak May 2020)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Valak has used HTTP in communications with C2.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Valak has used PowerShell to download additional modules.(Citation: Cybereason Valak May 2020)
.007 Command and Scripting Interpreter: JavaScript

Valak can execute JavaScript containing configuration data for establishing persistence.(Citation: Cybereason Valak May 2020)

Enterprise T1555 .004 Credentials from Password Stores: Windows Credential Manager

Valak can use a .NET compiled module named exchgrabber to enumerate credentials from the Credential Manager.(Citation: SentinelOne Valak June 2020)
Enterprise T1132 .001 Data Encoding: Standard Encoding

Valak has returned C2 data as encoded ASCII.(Citation: Unit 42 Valak July 2020)
Enterprise T1114 .002 Email Collection: Remote Email Collection

Valak can collect sensitive mailing information from Exchange servers, including credentials and the domain certificate of an enterprise.(Citation: Cybereason Valak May 2020)
Enterprise T1564 .004 Hide Artifacts: NTFS File Attributes

Valak has the ability save and execute files as alternate data streams (ADS).(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)(Citation: SentinelOne Valak June 2020)
Enterprise T1559 .002 Inter-Process Communication: Dynamic Data Exchange

Valak can execute tasks via OLE.(Citation: SentinelOne Valak June 2020)
Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

Valak has used packed DLL payloads.(Citation: SentinelOne Valak June 2020)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Valak has been delivered via spearphishing e-mails with password protected ZIP files.(Citation: Unit 42 Valak July 2020)
.002 Phishing: Spearphishing Link

Valak has been delivered via malicious links in e-mail.(Citation: SentinelOne Valak June 2020)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Valak has used scheduled tasks to execute additional payloads and to gain persistence on a compromised host.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)(Citation: SentinelOne Valak June 2020)
Enterprise T1518 .001 Software Discovery: Security Software Discovery

Valak can determine if a compromised host has security products installed.(Citation: Cybereason Valak May 2020)
Enterprise T1218 .010 System Binary Proxy Execution: Regsvr32

Valak has used regsvr32.exe to launch malicious DLLs.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)
Enterprise T1552 .002 Unsecured Credentials: Credentials in Registry

Valak can use the clientgrabber module to steal e-mail credentials from the Registry.(Citation: SentinelOne Valak June 2020)
Enterprise T1204 .002 User Execution: Malicious File

Valak has been executed via Microsoft Word documents containing malicious macros.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)(Citation: SentinelOne Valak June 2020)

Groups That Use This Software
ID Name References
G0127 TA551

(Citation: Cybereason Valak May 2020) (Citation: Unit 42 Valak July 2020) (Citation: Unit 42 TA551 Jan 2021) (Citation: Secureworks GOLD CABIN)

References

  1. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
  2. Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.
  3. Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020.
  4. Duncan, B. (2021, January 7). TA551: Email Attack Campaign Switches from Valak to IcedID. Retrieved March 17, 2021.
  5. Secureworks. (n.d.). GOLD CABIN Threat Profile. Retrieved March 17, 2021.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.