Malware Analysis – Malicious Macros
June 26, 2020Rewterz Threat Alert – APT C-35 Targeting Pakistani Organizations
June 26, 2020Malware Analysis – Malicious Macros
June 26, 2020Rewterz Threat Alert – APT C-35 Targeting Pakistani Organizations
June 26, 2020Severity
Medium
Analysis Summary
The Valak Malware is a sophisticated malware previously classified as a malware loader. Though it was first observed in late 2019, researchers have investigated a series of dramatic changes, an evolution of over 30 different versions in less than six months. This research shows that Valak is more than just a loader for other malware, and can also be used independently as an information stealer to target individuals and enterprises. More recent versions of Valak target Microsoft Exchange servers to steal enterprise mailing information and passwords along with the enterprise certificate. This has the potential to access critical enterprise accounts, causing damage to organizations, brand degradation, and ultimately a loss of consumer trust.
Impact
- Credential theft
- Information theft
- Exposure of sensitive data
Indicators of Compromise
MD5
- 85c8e02d944c693dc8395e9b726fe380
- b2558caa32fa209d99afac52d2930ca2
- 8170b1d3bb3364c0c92de81d9345c7c6
- 21e1a393f9ba44049c307b357875afde
- 7b31397bd5a2880823ca5272249eb4fe
- 4706cb0d87c35fa805f28091e529d682
- e7b579ba890af51b66d659e588db776b
- 099d36c2071d381ad775ac6ecf6fb0b9
- cee71ff0a2adf356b6ede758b1591f7b
- af4fd920e097695781424662e7c120a3
- 5498b94db695ad6656dfa02c3a4c4317
- 95d0edc1349faa8ecd1a26980072b46d
- f421d7ca0d6d4c6737af88868173e705
- d78232c9862f86712d41237c20f5ab80
- ff432ec7c351fb14af67d44eb4483c84
- 0c1ceab2d27259405602f7d2c22ecafe
- c0ef686b11f5422620db63927444580d
- 113b4a7fd32dea42f8efc6282110cd73
- 6db614240e162a0c72174b5a48693c93
- 30bd8f82026c68425df6b9d034611720
- cf41b835fb331b3ccd70a2fcb97427e8
- a2145dee7e0be6a56c9a4023f0174711
- e25e1cae62f221294651984e6615f7eb
- 34356355a617f271fbb8301cfbe86367
- 34256f3930f4b9d4a23abda8d46b32f7
- 0dcee360983fa2e073e9f07e06b6d695
- 4ff917822f2156c046a96ac78381e216
- 656668547b65c909c50225f25b726056
- 94a028c3032c634f5100201e02361f3e
- 70cb1f07a676f287792d78cfcfdb2aa3
SHA-256
- f3dc311a18bd3c048677bf5939156efd3180496e518f0160f26cc4d48cc66655
- be7c1fe502940405a9647aaedb888eccae68fb13bbd8f158a920b1555bf8ba1e
- fcd622c65e374f7d7212770a65f4474fa2a683bae869116ef52cc2a2566303d5
- 15bcff3285cb41339b5de38526aa37a06627b05c340cea5c52cdd94e088993a7
- c5d8a8a77399958936cef96f3c8c9d0d6c2ae89437e6d6471dfa36893180d689
- c7bc266367b277f1e9e4510a23a38fbf0bdf7a851b026a340eba3ad8c8e8a1c9
- 9b52277574e9b452d2bd77d3f1d6cc3084ec523057eb19ab26d34bf349e6d6b0
- 6c0e63de41e14f74191fbbea4a001af4b3ad744f6138848be92e2177517ef887
- 602bcef0404f128c0f8ee68d644a37bb4430ba8d70939dcea814dd8cf22a97a7
- c065f5e4493fd5493a012f0e05ba2aa3914745e97c2ed91fbfc3d5106bc4782b
- 6466ca90f8e03192bfb602d5db96804a1d1ea8cdfef1b74d02e1159a63077acc
- bd58160966981dd4b04af8530e3320edbddfc2b83a82b47a76f347d0fb4ca93a
- afc8fd02926a7dee0d71c8735b7f9cb5074ff7c3c4e2fa8c0cb5508b1e8170dd
- 96e29e78b5f8e9bd5a152bad67dc4637babf1bab73c45226b831473e9b75cf57
- 9a11e6ae98e4e26dcc240ec3ff0cc34d99e6d3414bd4caf340fb09649e94e4bd
- 8b721d87f4dec06597cc0ecb09ce47f10ddcf294e8b4b23bdf74246bce327e94
- 09448d9ba61f5c4d8ee1698cdadf398cbf97000a239c43c95972693b1a9311c8
- deb0b28e72150db07cc9c2f5efc8f26a3be022c81c7544317a5717566a4c0302
- 5624e6cb352c82b2c032a1018cea979f01f0cac2e552fe4d7016ced32f1cb581
- 112f8cefb5aedfb0c92e7c947214b8bd4c30be5879d5f3263a7d6eeb07004d09
- 4468edc18de42e61b64441c75aedcb15d553410d473e77fc8ae31b358acd506a
- eb14e6ed547411a4930034be80453841e9b474225ec3a32ddc32c01263781c67
- 5397b18ce5cf38f66bfd782c8d6ef331d90597fe0fe841c60f437acfd171d61f
- 363b7bfb0f4a329b67cff96d1a1d888f99da44cae2d6f7b24e8b45a76b39a5f2
- 1c3d130fd8473aea8b9286732db6ff2d3762ca1a70312bfbc9a4528d86b3b093
- 4f3ffaef0cf5a9a799d7026a547e2c9a777946709112dcbb2a0b588228016439
SHA1
- daaeaba45589187696bbc1aec7df7844e451cdcd
- 9a42f69a4a7d157b975ea8093d0eb397392608f4
- ec705dd7835614d21202c316ae25c2c95088af07
- ec257f1a01f20560a4e869027382058b4a087615
- e43490cb1f8dcac038b8814ff5c4ece8028ecb85
- 5f8c22c7041e5279785f66fdba8d1b0b414d917e
- bf480aa047342f106693ed696dc3162f0776db0e
- 505b96b31b19a1d85276d3a71e1d6398abe3bea5
- e22b404e1fec743f0795cdea8a95337660878860
- e397cdcaf65b54c89d92e0ef49d40f22c8ed5526
- 9441495ead24cdf62536075bb212a5cf88af5d91
- 3f37ceaf50af6a1afa62de9522e2e998ca9f6a66
- a9d57c0a838559156387b7f0b3af6ecabdf07e67
- 4e6953fe1580d4d178d053fc906f441d5c72f2fc
- 3a25af6c4214f70aa71b1253db048333b05f140f
- 865e19a4dd150b0a8b60f4dbb49173fe48d11980
- fcac8890f45140398f9595106477ba105fdeee0b
- b51f8d9870886d6fd331c19d28160196e76b8e4a
- 30fd553dedfadc81522adf37e11dfc4039d4ea31
- bd9c4f7631beb455525bf7dfb3b64c5cfd47f0c2
- 03810cd2c5cd29898f20cf33d8084926b685c879
- 1d19d630e0c311e6a102e3b34cccec6360553497
- b729bdd3a0fecb5ddc4eb0fea5ab32c08a29bee5
- 1d8de1bd76fc66fa8f367e4904aee92cb576deb4
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders
- Search for IOCs in your existing environment.