Researchers from cybersecurity firm Cybereason have revealed that known malware loader Valak has been transformed into a data stealer used primarily to attack enterprises.
The malware is now able to gather all manner of intelligence on its targets, including the geographical location of the target device, as well as email login credentials and domain passwords and certificates.
According to a Bleeping Computer report, it does so by invading Microsoft Exchange servers.
The latest iterations of Valak are also still capable of performing the loader's original objective: to deliver other forms of malware (primarily banking trojans Ursnif and IcedID).
Valak is distributed via email phishing scams, attached as a Word file. The seemingly innocuous file carries a malicious macro which, once triggered, installs the loader.
The malware loader has more than 50 command and control (C&C) servers, each operating a different variant of the malware. It is believed the servers share the same infrastructure, as all known domains are linked to each other through downloaded files, URI similarities or connecting files.
While Cybereason has reason to believe Valak may have Russian roots (based on the observed partnership with Ursnif and IceID), the firm is not certain about the malware's origins.