The Valar Trojan which was first detected last year is currently being used in a widespread attack against Microsoft Exchange servers. The hacking group behind it are not yet known and the malware is targeting mainly against Germany and the USA. It is rated as an advanced threat which is delivered to the victim computers in a multi-stage way.
Valar Trojan Attacks Microsoft Exchange Servers
Valar Trojan is a sophisticated malware which is currently used as a weapon against Microsoft Exchange servers. The hackers which are behind the campaign are using it to target machines located in Germany and the USA. What is particularly dangerous is the fact that the threat is delivered in a complex infection strategy that uses a multi-stage installation mechanism. The actual malware is not new, the first samples of it were detected in a previous campaign in 2019. A new hacking group has taken the Trojan code and used it in their attack campaign.
The criminals are using a new strategy which employs macro-infected documents which are created in both English and German. These files are opened in Microsoft Word and include dangerous scripts. They are spread to the target end users depending on the phishing strategy. The most likely way is to send out email messages that may include personalized or generic greetings and link or attach these documents. When the recipients open them on their local computers a message will appear asking them to enable the built-in scripts. This will lead to the deployment of the Valar Trojan.
The initial installation is done by infecting the system by following a complex infection sequence. One of the first actions which will be run includes an extensive data gathering action which is designed to extract machine data and identity related information. One of the important assets which are hijacked is the geolocation data which will determine where the user is located. Additionally more data will be downloaded from the machines, this module will also take screenshots at regular intervals and also load other Trojans and malware. The documented examples include Ursnif which is a common advanced infection.
The updated version of the Valar Trojan includes other modules and plugins that extends the functionality of the main engine. The researchers note that Valar is considered an advanced risk as it can hide itself in the system and also modify the Windows Registry. This means that the virus will create values for itself or edit existing ones in order to safeguard itself from discovery or removal.
Malware of this category can be used to carry out actions such as the following:
- Information Gathering — The hijacked machine data and personal user information can be used for other crimes such as financial abuse and identity theft.
- Surveillance — The Trojan engine will allow the hackers to spy on the victims and take over control of the infected machines.
- Additional Virus Infections — The Valar Trojan can be used to install other types of viruses to the victim systems. Popular options include file encrypting ransomware which will lock user files and demand a decryption fee to be paid. An alternative is the installation of browser hijackers which are dangerous plugins made compatible with all popular web browsers. They will redirect the users to phishing pages, scams and hacker-controlled pages.
One of the main goals of the Trojan is to gain access to the installed Microsoft Exchange servers. This includes the stored credentials, sensitive contents and the domain certificate. The conducted analysis shows that the different versions of the Trojan shares its infrastructure. This means that the hackers have a large resource under their control. It is very possible that the hackers are of Russian origin as the deployed threats are presumed to be operating from Russia.