Valak
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1087 | .001 | Account Discovery: Local Account |
Valak has the ability to enumerate local admin accounts.(Citation: Cybereason Valak May 2020) |
.002 | Account Discovery: Domain Account |
Valak has the ability to enumerate domain admin accounts.(Citation: Cybereason Valak May 2020) |
||
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Valak has used HTTP in communications with C2.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020) |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Valak has used PowerShell to download additional modules.(Citation: Cybereason Valak May 2020) |
.007 | Command and Scripting Interpreter: JavaScript |
Valak can execute JavaScript containing configuration data for establishing persistence.(Citation: Cybereason Valak May 2020) |
||
Enterprise | T1555 | .004 | Credentials from Password Stores: Windows Credential Manager |
Valak can use a .NET compiled module named exchgrabber to enumerate credentials from the Credential Manager.(Citation: SentinelOne Valak June 2020) |
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
Valak has returned C2 data as encoded ASCII.(Citation: Unit 42 Valak July 2020) |
Enterprise | T1114 | .002 | Email Collection: Remote Email Collection |
Valak can collect sensitive mailing information from Exchange servers, including credentials and the domain certificate of an enterprise.(Citation: Cybereason Valak May 2020) |
Enterprise | T1564 | .004 | Hide Artifacts: NTFS File Attributes |
Valak has the ability save and execute files as alternate data streams (ADS).(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)(Citation: SentinelOne Valak June 2020) |
Enterprise | T1559 | .002 | Inter-Process Communication: Dynamic Data Exchange |
Valak can execute tasks via OLE.(Citation: SentinelOne Valak June 2020) |
Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
Valak has used packed DLL payloads.(Citation: SentinelOne Valak June 2020) |
.011 | Obfuscated Files or Information: Fileless Storage |
Valak has the ability to store information regarding the C2 server and downloads in the Registry key |
||
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Valak has been delivered via spearphishing e-mails with password protected ZIP files.(Citation: Unit 42 Valak July 2020) |
.002 | Phishing: Spearphishing Link |
Valak has been delivered via malicious links in e-mail.(Citation: SentinelOne Valak June 2020) |
||
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Valak has used scheduled tasks to execute additional payloads and to gain persistence on a compromised host.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)(Citation: SentinelOne Valak June 2020) |
Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
Valak can determine if a compromised host has security products installed.(Citation: Cybereason Valak May 2020) |
Enterprise | T1218 | .010 | System Binary Proxy Execution: Regsvr32 |
Valak has used |
Enterprise | T1552 | .002 | Unsecured Credentials: Credentials in Registry |
Valak can use the clientgrabber module to steal e-mail credentials from the Registry.(Citation: SentinelOne Valak June 2020) |
Enterprise | T1204 | .002 | User Execution: Malicious File |
Valak has been executed via Microsoft Word documents containing malicious macros.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)(Citation: SentinelOne Valak June 2020) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0127 | TA551 |
(Citation: Cybereason Valak May 2020) (Citation: Unit 42 Valak July 2020) (Citation: Unit 42 TA551 Jan 2021) (Citation: Secureworks GOLD CABIN) |
References
- Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.
- Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
- Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020.
- Duncan, B. (2021, January 7). TA551: Email Attack Campaign Switches from Valak to IcedID. Retrieved March 17, 2021.
- Secureworks. (n.d.). GOLD CABIN Threat Profile. Retrieved March 17, 2021.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.