<!doctype html> <html lang="en-US"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="profile" href="https://gmpg.org/xfn/11"> <link rel="preconnect" href="https://www.paloaltonetworks.com"> <link rel="preconnect" href="https://cdn.cookielaw.org"> <link rel="preconnect" href="https://fonts.googleapis.com"> <!-- Start: Scripts Migrated From Unit42-v5 --> <script type="text/javascript"> var main_site_url = 'https://www.paloaltonetworks.com'; var maindomain_lang = 'https://www.paloaltonetworks.com'; function getParameterByName(name, url) { if(url == null){ url = window.location.href; } name = name.replace(/[\[\]]/g, '\\$&'); var regex = new RegExp('[?&]' + name + '(=([^&#]*)|&|#|$)'), results = regex.exec(url); if (!results) return null; if (!results[2]) return ''; return decodeURIComponent(results[2].replace(/\+/g, ' ')); } var container_q = getParameterByName('container'); var d_lang = 'en'; </script> <link rel="preload" href="https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTop.min.css" as="style" onload="this.onload=null;this.rel='stylesheet'"> <noscript><link rel="stylesheet" href="https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTop.min.css"></noscript> <link rel="preload" href="https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTopProductNav.min.css" as="style" onload="this.onload=null;this.rel='stylesheet'"> <noscript><link rel="stylesheet" href="https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTopProductNav.min.css"></noscript> <link rel="preload" href="https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/deferedProductNav.min.css" as="style" onload="this.onload=null;this.rel='stylesheet'"> <noscript><link rel="stylesheet" href="https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/deferedProductNav.min.css"></noscript> <meta name='robots' content='index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1' /> <link rel="alternate" hreflang="en" href="https://unit42.paloaltonetworks.com/valak-evolution/" /> <link rel="alternate" hreflang="ja" href="https://unit42.paloaltonetworks.jp/valak-evolution/" /> <link rel="alternate" hreflang="x-default" href="https://unit42.paloaltonetworks.com/valak-evolution/" /> <!-- This site is optimized with the Yoast SEO Premium plugin v23.7 (Yoast SEO v23.7) - https://yoast.com/wordpress/plugins/seo/ --> <title>Evolution of Valak, from Its Beginnings to Mass Distribution</title> <meta name="description" content="Valak is an information stealer and malware loader that has become increasingly common in our threat landscape and is being mass distributed by an actor known as Shathak/TA551." /> <link rel="canonical" href="https://unit42.paloaltonetworks.com/valak-evolution/" /> <meta property="og:locale" content="en_US" /> <meta property="og:type" content="article" /> <meta property="og:title" content="Evolution of Valak, from Its Beginnings to Mass Distribution" /> <meta property="og:description" content="Valak is an information stealer and malware loader that has become increasingly common in our threat landscape and is being mass distributed by an actor known as Shathak/TA551." /> <meta property="og:url" content="https://unit42.paloaltonetworks.com/valak-evolution/" /> <meta property="og:site_name" content="Unit 42" /> <meta property="article:published_time" content="2020-07-24T19:00:29+00:00" /> <meta property="article:modified_time" content="2024-06-07T13:38:18+00:00" /> <meta property="og:image" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/09_Security-Technology_Category_1920x900.jpg" /> <meta property="og:image:width" content="1920" /> <meta property="og:image:height" content="900" /> <meta property="og:image:type" content="image/jpeg" /> <meta name="author" content="Brad Duncan" /> <meta name="twitter:card" content="summary_large_image" /> <!-- / Yoast SEO Premium plugin. --> <link rel="alternate" type="application/rss+xml" title="Unit 42 &raquo; Feed" href="https://unit42.paloaltonetworks.com/feed/" /> <link rel="alternate" type="application/rss+xml" title="Unit 42 &raquo; Comments Feed" href="https://unit42.paloaltonetworks.com/comments/feed/" /> <link rel="alternate" type="application/rss+xml" title="Unit 42 &raquo; Evolution of Valak, from Its Beginnings to Mass Distribution Comments Feed" href="https://unit42.paloaltonetworks.com/valak-evolution/feed/" /> <script type="text/javascript"> var globalConfig = {}; var webData = {}; webData.channel = "unit42"; webData.property = "unit42.paloaltonetworks.com"; webData.language = "en_us"; webData.pageType = "blogs"; webData.pageName = "unit42:valak-evolution"; webData.pageURL = "https://unit42.paloaltonetworks.com/valak-evolution"; webData.article_title = "Evolution of Valak, from Its Beginnings to Mass Distribution"; webData.author = "Brad Duncan"; webData.published_time = "2020-07-24T12:00:29-07:00"; webData.description = "Valak is an information stealer and malware loader that has become increasingly common in our threat landscape and is being mass distributed by an actor known as Shathak/TA551."; webData.keywords = "Cybercrime,Malware,Threat Research,Valak"; webData.resourceAssetID = "ee8f7f1a3f59aabffcf5680e26fc37d4"; </script> <script type="text/javascript"> var globalConfig = {}; globalConfig.buildName = "UniqueResourceAssetsID_DEC022022"; </script> <meta property="og:likes" content="18"/> <meta property="og:readtime" content="11"/> <meta property="og:views" content="52,630"/> <meta property="og:date_created" content="July 24, 2020 at 12:00 PM"/> <meta property="og:post_length" content="2639"/> <meta property="og:category" content="Cybercrime"/> <meta property="og:category" content="Malware"/> <meta property="og:category" content="Threat Research"/> <meta property="og:category_link" content="https://unit42.paloaltonetworks.com/category/cybercrime/"/> <meta property="og:category_link" content="https://unit42.paloaltonetworks.com/category/malware/"/> <meta property="og:category_link" content="https://unit42.paloaltonetworks.com/category/threat-research/"/> <meta property="og:author" content="Brad Duncan"/> <meta property="og:authorlink" content="https://unit42.paloaltonetworks.com/author/bduncan/"/> <meta property="og:author_image_link" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2017/09/Duncan-bio-picture-1-copy-150x150.jpg"/> <meta name="post_tags" content="Valak"/> <meta property="og:post_image" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2020/07/Malware-r3d2.png"/> <script type="application/ld+json">{"@context":"https:\/\/schema.org","@type":"BlogPosting","headline":"Evolution of Valak, from Its Beginnings to Mass Distribution","name":"Evolution of Valak, from Its Beginnings to Mass Distribution","description":"Valak is an information stealer and malware loader that has become increasingly common in our threat landscape and is being mass distributed by an actor known as Shathak\/TA551.","url":"https:\/\/unit42.paloaltonetworks.com\/valak-evolution\/","mainEntityOfPage":"https:\/\/unit42.paloaltonetworks.com\/valak-evolution\/","datePublished":"July 24, 2020","articleBody":"Executive Summary\r\nFirst noted in late 2019, Valak is an information stealer and malware loader that has become increasingly common in our threat landscape. From April through June of 2020, we saw waves of Valak malware two to four times a week on average through an email distribution network nicknamed Shathak or TA551. Characteristics of Valak include:\r\n\r\n \tValak relies on scheduled tasks and Windows registry updates to remain persistent on an infected Windows host.\r\n \tValak uses Alternate Data Stream (ADS) as a technique to run follow-up malware on an infected host.\r\n \tRecent Valak infections show an increase in obfuscated code for configuration scripts used during the infection, possibly as an attempt to avoid detection.\r\n \tSince April 2020, we have seen a great deal of Valak malware distributed by an actor sometimes referred to as Shathak\/TA551.\r\n\r\nThis blog covers the history of Valak, reviews the chain of events for an infection, examines traffic generated by Valak and explores recent updates in obfuscation techniques used by the malware in order to evade detection. This blog also examines the Shathak\/TA551 distribution system that has been consistently pushing Valak since April 2020.\r\n\r\nPalo Alto Networks customers are protected from Valak by our Threat Prevention subscription for the Next-Generation Firewall.\r\nValak History\r\nThe earliest public record of Valak comes from Proofpoint's ET Pro ruleset, where two rules detecting Valak were introduced on October 22, 2019, for the Suricata Open Source threat detection engine.\r\n\r\nValak was documented as follow-up malware during an Ursnif infection (also known as Gozi or IFSB) on December 19, 2019. Analysis by Cybereason revealed Valak used a combination of techniques to remain persistent on an infected Windows host. Valak relies on scheduled tasks combined with Windows registry updates. It also uses Alternate Data Stream (ADS) during the infection process for follow-up malware.\r\n\r\nMost examples of Valak in recent months have been distributed through malicious spam (malspam). SentinelLabs (SentinelOne) published a report providing further information about Valak, including a connection between Valak malware distribution and campaigns similar to the \u201cGozi ConfCrew.\u201d Distribution characteristics were further explored in a Threat Spotlight on Valak published by Talos (Cisco).\r\n\r\nThe distribution network using malspam to push Valak has been called Shathak on Twitter. Shathak has been attributed to an actor named TA551 on the Malware Don\u2019t Need Coffee blog.\r\nChain of Events\r\n[caption id=\"attachment_108101\" align=\"aligncenter\" width=\"900\"] Figure 1. Chain of events for recent Valak malware activity.[\/caption]\r\n\r\nFigure 1 shows the chain of events seen for Valak infections in June and early July 2020. For a Windows computer to become infected, a victim must:\r\n\r\n \tOpen malspam with password-protected ZIP attachment. On June 30 and July 1, 2020, we saw indications there may also have been a link to download a ZIP archive instead of an attachment.\r\n \tExtract Microsoft Word document from the password-protected ZIP archive using a unique password from the message text.\r\n \tOpen the Word document as shown below in Figure 2 and enable macros.\r\n\r\n[caption id=\"attachment_108103\" align=\"aligncenter\" width=\"900\"] Figure 2. Example of a Microsoft Word document from June 24, 2020, with macros for Valak.[\/caption]\r\n\r\nFor Valak infections during June 2020, the initial activity consisted of:\r\n\r\n \tAn HTTP or HTTPS URL ending with .cab that returned a DLL to install Valak.\r\n \tValak DLL was saved to the C:\\ProgramData\\ directory using a random file name, usually with a .dat or .jpg file extension, as shown in Figure 3.\r\n \tValak DLL was run using regsvr32.exe -s [filename]\r\n \tPopup message stating the DLL was successfully run, as shown in Figure 4.\r\n \tA JavaScript configuration file appeared as a random file name (always the same name for each wave of infections) under the C:\\Users\\Public\\ directory, as shown in Figures 5 and 6.\r\n \tInitial HTTP command and control (C2) traffic returned encoded ASCII text used to create additional malware\/artifacts for the infection.\r\n\r\n[caption id=\"attachment_108105\" align=\"aligncenter\" width=\"900\"] Figure 3. Initial Valak DLL retrieved after enabling macros on the Word document from Figure 2.[\/caption]\r\n\r\n[caption id=\"attachment_108107\" align=\"aligncenter\" width=\"900\"] Figure 4. Pop-up message on a Windows 10 host when an initial Valak DLL was successfully run using RegSvr32.exe after macros were enabled on June 24, 2020.[\/caption]\r\n\r\n[caption id=\"attachment_108109\" align=\"aligncenter\" width=\"900\"] Figure 5. Initial script file in C:\\Users\\Public\\ directory used during Valak infection from June 24, 2020.[\/caption]\r\n\r\n[caption id=\"attachment_108111\" align=\"aligncenter\" width=\"900\"] Figure 6. Contents of the JavaScript configuration file from June 24, 2020.[\/caption]\r\n\r\nFigure 6 reveals variable names are obfuscated in the JavaScript configuration file. This is an example of obfuscation that we have noted since June 2020, and it is covered in more detail later in this blog when discussing Valak developments.\r\n\r\nAs the infection progressed, three things happened near-simultaneously to make Valak persistent on an infected Windows host:\r\n\r\n \tA Windows executable (EXE) appeared in the infected user's AppData\\Local\\Temp directory as a random file name ending in .bin (PE32 executable, Mono\/.Net assembly), as shown in Figure 7.\r\n \tWindows registry entries were created under the key for HKCU\\SOFTWARE\\ApplicationContainer\\Appsw64\r\n \tA randomly-named text file and JavaScript (JS) file both appeared under the C:\\Users\\Public\\ directory, as shown in Figures 8, 9 and 10.\r\n \tA scheduled task was created to run the JS file located under C:\\Users\\Public\\ and repeat running it every four minutes, as shown in Figure 11.\r\n\r\n[caption id=\"attachment_108113\" align=\"aligncenter\" width=\"900\"] Figure 7. EXE file with a .bin file extension from the June 24, 2020, Valak infection.[\/caption]\r\n\r\n[caption id=\"attachment_108115\" align=\"aligncenter\" width=\"900\"] Figure 8. Additional artifacts in the C:\\Users\\Public\\ directory created during the infection.[\/caption]\r\n\r\n[caption id=\"attachment_108117\" align=\"aligncenter\" width=\"900\"] Figure 9. Contents of the text file, a random string of text.[\/caption]\r\n\r\n[caption id=\"attachment_108119\" align=\"aligncenter\" width=\"900\"] Figure 10. Contents of the JS file used to keep the Valak infection persistent.[\/caption]\r\n\r\n[caption id=\"attachment_108121\" align=\"aligncenter\" width=\"900\"] Figure 11. Scheduled task for JS file used to keep the Valak infection persistent.[\/caption]\r\n\r\nIf the C2 domains remained active during the infection, as early as four minutes later, we saw follow-up malware:\r\n\r\n \tValak C2 traffic returned encoded ASCII text used to create a follow-up malware EXE.\r\n \tThe follow-up malware EXE was appended to the randomly-named text file in C:\\Users\\Public using ADS, as shown in Figure 12.\r\n \tA scheduled task was created to run the follow-up malware EXE once, shortly after it was created, as shown in Figure 13.\r\n\r\n[caption id=\"attachment_108123\" align=\"aligncenter\" width=\"900\"] Figure 12. Text file in C:\\Users\\Public\\ directory updated with ADS.[\/caption]\r\n\r\n[caption id=\"attachment_108125\" align=\"aligncenter\" width=\"900\"] Figure 13. Scheduled task to run the follow-up malware.[\/caption]\r\n\r\nIn our tests, running Valak from a U.S. location on a vulnerable Windows 10 host returned a banking Trojan called IcedID as the follow-up malware. In one case, we saw both IcedID and NetSupport Manager RAT-based malware delivered as follow-up malware on a Windows 7 host from June 2020.\r\nValak Infection Traffic\r\nThe infection starts when a victim enables macros on one of the malicious documents. This usually generates a URL ending with .cab that returns a Windows DLL file. Figure 14 shows a Valak infection from June 24, 2020, filtered in Wireshark to list the HTTP requests and other web-based traffic. The first line shows a URL that ends with .cab. A TCP stream of this activity is shown in Figure 15, and it reveals signs of an EXE or DLL file returned from the server.\r\n\r\n[caption id=\"attachment_108127\" align=\"aligncenter\" width=\"900\"] Figure 14. Traffic from a Valak infection with IcedID as the follow-up malware from June 2020 filtered in Wireshark.[\/caption]\r\n\r\n[caption id=\"attachment_108129\" align=\"aligncenter\" width=\"900\"] Figure 15. TCP stream for the HTTP GET request ending in .cab that returned a Windows DLL file.[\/caption]\r\n\r\nChecking the binary in VirusTotal shows this file is a DLL. This DLL is an installer for Valak. Shortly after the initial HTTP traffic for the Valak DLL, we see other HTTP GET requests starting with:\r\n\r\n \tlicense.jsp?client=\r\n \tarchive.jsp?page=\r\n \tdb.aspx?dfc=\r\n\r\nThe HTTP requests are Valak C2 traffic, which is sent to decoy domains (non-malicious domains from legitimate organizations) and malicious domains. These domains are listed in the initial Valak script previously shown in Figure 5. For example, for Valak infections from the June 24, 2020, wave, the decoy domains were:\r\n\r\n \te87.dspb.akamaidege.net\r\n \tinsiderppe.cloudapp.net\r\n \tpagead46.l.doubleclick.net\r\n\r\nAlso noted in Figure 5 are the malicious domains from the June 24, 2020, wave of Valak:\r\n\r\n \tthepicklepilot.com\r\n \tjoonaskallinen.com\r\n \txfitnessproducts.com\r\n\r\nFigure 5 also shows three additional domains from the June 24, 2020, wave of Valak. These domains appear to be fake or possibly placeholders because they were not registered and did not resolve to any IP address.\r\n\r\n \t59xidd-fuel.com\r\n \t19geds-space.com\r\n \t55sfors-cask.com\r\n\r\nValak C2 traffic returns data as encoded ASCII text that is decoded on the victim host and saved as malware items like script files, EXE used during the infection and data for registry updates for the Valak infection. Figure 16 shows an example of this traffic.\r\n\r\n[caption id=\"attachment_108131\" align=\"aligncenter\" width=\"900\"] Figure 16. Valak C2 over HTTP traffic returning ASCII data used to create malware items on the victim host.[\/caption]\r\n\r\nIn addition to HTTP GET requests, Valak uses HTTP POST requests to exfiltrate certain types of data. In Figures 17 and 18, we see an HTTP POST request starting with class4.aspx?internalService= that sends login credentials used for Microsoft Outlook from an infected Windows host.\r\n\r\n[caption id=\"attachment_108133\" align=\"aligncenter\" width=\"900\"] Figure 17. Valak infection traffic filtered in Wireshark showing an HTTP POST request from the C2 traffic.[\/caption]\r\n\r\n[caption id=\"attachment_108135\" align=\"aligncenter\" width=\"900\"] Figure 18. TCP stream of the HTTP POST request showing a base64 string containing Outlook login credentials of the infected host.[\/caption]\r\n\r\nWe primarily see IcedID as follow-up malware from the Valak infections generated from U.S. locations. Figure 19 shows indicators of IcedID during the Valak infection traffic.\r\n\r\n[caption id=\"attachment_108137\" align=\"aligncenter\" width=\"900\"] Figure 19. Indicators of IcedID as the follow-up malware during this Valak infection.[\/caption]\r\nRecent Developments\r\nAs Valak has developed, we have noticed increased obfuscation in the Valak configuration script. This obfuscation finds its way into other script and Windows registry updates used to keep the infection persistent. Figure 20 shows configuration script from June 23, 2020, using Valak software version 40. Figure 21 shows configuration script from June 24, 2020, using Valak software version 41. Note how variable names and some of the values were obfuscated when Valak changed from version 40 to version 41.\r\n\r\n[caption id=\"attachment_108139\" align=\"aligncenter\" width=\"900\"] Figure 20. Valak version 40 configuration script with variable names and values in plain text.[\/caption]\r\n\r\n[caption id=\"attachment_108141\" align=\"aligncenter\" width=\"900\"] Figure 21. Valak version 41 configuration script with variable names and some values using obfuscated text.[\/caption]\r\n\r\nLike most obfuscation, this is likely an attempt to evade detection. As the weeks and months progress, we predict further obfuscation in Valak\u2019s configuration script and related files.\r\nShathak\/TA551 Distribution\r\nShathak or TA551 is the name some security researchers have given to a specific distribution method that uses password-protected ZIP archives as attachments to malspam. The distribution network may be associated with Russian cybercriminals. It has used Word document templates targeting English-, Italian-, German- and Japanese-speaking recipients. Shathak\/TA551 has been active at least as early as February 2019.\r\n\r\nShathak\/TA551 distribution has the following characteristics:\r\n\r\n \tMalspam spoofs legitimate email chains based on mailbox data retrieved from previously-infected Windows hosts. It sends copies of these email chains to senders and recipients from the original email chain.\r\n \tThe spoofed email chain includes a short message as the most recent item in the chain. This item is a generic message that instructs recipients to open an attached ZIP archive using a supplied password.\r\n \tThe password-protected ZIP attachments contain a Microsoft Word document with macros to install malware. See Appendix A for examples of these Word documents from June 2020.\r\n \tThe macros usually generate a URL ending in .cab to retrieve a binary that installs malware. This binary is currently a DLL file. Appendix B lists examples of URLs from this campaign.\r\n \tPrior to April 2020, the most common malware caused by Word documents associated with Shathak\/TA551 was Ursnif.\r\n \tSince April 2020, the most common malware distributed by these Word documents has been Valak. Appendix C lists a series of Valak DLL examples from June 2020.\r\n \tSince May 2020, passwords used for the ZIP attachments appear to be unique to each recipient.\r\n\r\nTo get an idea of traffic patterns associated with Shathak\/TA551, recent examples of URLs generated by the associated Word macros follow (Read: Date - URL).\r\n\r\n \t2020-05-26 - hxxp:\/\/c1j4xptyujjpyt8[.]com\/gg88wyaftcxr7gu\/wo0zz.php?l=sfzs9.cab\r\n \t2020-05-27 - hxxp:\/\/ft23fpcu5yabw2[.]com\/alfh\/xzrn.php?l=lfahe9.cab\r\n \t2020-06-03 - hxxp:\/\/awh93dhkylps5ulnq-be[.]com\/czwih\/fxla.php?l=gap1.cab\r\n \t2020-06-09 - hxxp:\/\/a4zy33hbmhxx70w9q[.]com\/hdil\/kzex.php?l=soub12.cab\r\n \t2020-06-10 - hxxp:\/\/kzex9vp0jfw6a8up1[.]com\/hdil\/kzex.php?l=phin1.cab\r\n \t2020-06-22 - hxxp:\/\/5u2mr[.]com\/unbbmevd\/d76.php?l=oev1.cab\r\n \t2020-06-23 - hxxp:\/\/fepz41[.]com\/unbbmevd\/d76.php?l=ynetz11.cab\r\n \t2020-06-24 - hxxp:\/\/mbzrrt[.]com\/unbbmevd\/d76.php?l=ftywl4.cab\r\n \t2020-06-26 - hxxp:\/\/ofxvp[.]com\/unbbmevd\/d76.php?l=wozmbl9.cab\r\n \t2020-07-06 - hxxp:\/\/eto9ve1[.]com\/iz5\/yaca.php?l=tze7.cab\r\n\r\nAs noted previously, Appendix B provides more examples of these URLs generated by Word macros associated with Shathak\/TA551.\r\n\r\nFigures 22-30 provide screenshots with selected examples of malspam and the extracted Word documents associated with Shathak\/TA551. These images illustrate how the Shathak\/TA551 distribution has evolved since February 2019.\r\n\r\n[caption id=\"attachment_108143\" align=\"aligncenter\" width=\"900\"] Figure 22. Shathak\/TA551 malspam to an English-speaking recipient from February 4, 2019.[\/caption]\r\n\r\n[caption id=\"attachment_108145\" align=\"aligncenter\" width=\"900\"] Figure 23. Shathak\/TA551 malspam to an Italian-speaking recipient from April 2, 2019.[\/caption]\r\n\r\n[caption id=\"attachment_108147\" align=\"aligncenter\" width=\"900\"] Figure 24. Shathak\/TA551 malspam to an English-speaking recipient from July 22, 2019.[\/caption]\r\n\r\n&nbsp;\r\n\r\n[caption id=\"attachment_108149\" align=\"aligncenter\" width=\"900\"] Figure 25. Shathak\/TA551 malspam to a German-speaking recipient from October 30, 2019.[\/caption]\r\n\r\n&nbsp;\r\n\r\n[caption id=\"attachment_108151\" align=\"aligncenter\" width=\"900\"] Figure 26. Shathak\/TA551 malspam to a Japanese-speaking recipient from December 17, 2019.[\/caption]\r\n\r\n[caption id=\"attachment_108153\" align=\"aligncenter\" width=\"900\"] Figure 27. Shathak\/TA551 malspam to a German-speaking recipient from March 26, 2020.[\/caption]\r\n\r\n[caption id=\"attachment_108155\" align=\"aligncenter\" width=\"900\"] Figure 28. Shathak\/TA551 malspam to an English-speaking recipient from April 28, 2020.[\/caption]\r\n\r\n[caption id=\"attachment_108157\" align=\"aligncenter\" width=\"900\"] Figure 29. Shathak\/TA551 malspam to an English-speaking recipient from May 22, 2020.[\/caption]\r\n\r\n[caption id=\"attachment_108159\" align=\"aligncenter\" width=\"900\"] Figure 30. Shathak\/TA551 malspam to a German-speaking recipient from May 26, 2020.[\/caption]\r\n\r\nThis distribution network has generally pushed Ursnif in previous years, but since late April 2020, we\u2019ve most often seen Valak from Shathak\/TA551. In some cases, we still see Ursnif from this distribution, which recently happened on June 10, 2020, and July 7, 2020.\r\nConclusion\r\nAs we enter the second half of 2020, Valak shows no signs of slowing down. We expect to see further waves of malspam from Shathak\/TA551 distribution pushing Word documents with macros for Valak.\r\n\r\nDue to its complex infection process that relies in part on registry updates with malware code, Valak can easily infect an unprotected Windows host. With ADS used to hide follow-up malware from a Valak infection, the risk is greatly increased.\r\n\r\nHowever, security best practices like running fully patched and up-to-date versions of Microsoft Windows will hinder or prevent Valak infections. Palo Alto Networks customers are further protected from Valak by our Threat Prevention subscription for the Next-Generation Firewall. AutoFocus users can search for Valak activity by using the Valak tag.\r\n\r\nAppendix A\r\n\r\nExamples of SHA256 file hashes along with the associated file names for Word documents from Shathak\/TA551 distribution during June 2020. Information available at: https:\/\/raw.githubusercontent.com\/pan-unit42\/iocs\/master\/Valak\/2020-June-SHA256-hashes-of-Word-docs-from-Shathak-TA551-distribution.txt\r\n\r\nAppendix B\r\n\r\nExamples of URLs generated by Word documents associated with Shathak\/TA551. Information available at: https:\/\/raw.githubusercontent.com\/pan-unit42\/iocs\/master\/Valak\/2020-03-23-to-2020-07-07-TA551-traffic-pattern-history-since-Valak.txt\r\n\r\nAppendix C\r\n\r\nExamples of SHA256 file hashes for Valak DLL files seen from Shathak\/TA551 distribution during June 2020. Information available at: https:\/\/raw.githubusercontent.com\/pan-unit42\/iocs\/master\/Valak\/2020-June-SHA256-hashes-of-Valak-DLL-files-from-Shathak-TA551-distribution.txt\r\n\r\n&nbsp;","publisher":{"@type":"Organization","@id":"#panworg"},"image":{"@type":"ImageObject","url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2024\/06\/09_Security-Technology_Category_1920x900-300x300.jpg","width":300,"height":300},"speakable":{"@type":"SpeakableSpecification","xPath":["\/html\/head\/title","\/html\/head\/meta[@name='description']\/@content"]},"author":[{"@type":"Person","name":"Brad Duncan"}]}</script><link rel='stylesheet' id='crayon-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/crayon-syntax-highlighter/css/min/crayon.min.css?ver=_2.7.2_beta' media='all' /> <style id='co-authors-plus-coauthors-style-inline-css'> .wp-block-co-authors-plus-coauthors.is-layout-flow [class*=wp-block-co-authors-plus]{display:inline} </style> <style id='co-authors-plus-avatar-style-inline-css'> .wp-block-co-authors-plus-avatar :where(img){height:auto;max-width:100%;vertical-align:bottom}.wp-block-co-authors-plus-coauthors.is-layout-flow .wp-block-co-authors-plus-avatar :where(img){vertical-align:middle}.wp-block-co-authors-plus-avatar:is(.alignleft,.alignright){display:table}.wp-block-co-authors-plus-avatar.aligncenter{display:table;margin-inline:auto} </style> <style id='co-authors-plus-image-style-inline-css'> .wp-block-co-authors-plus-image{margin-bottom:0}.wp-block-co-authors-plus-image :where(img){height:auto;max-width:100%;vertical-align:bottom}.wp-block-co-authors-plus-coauthors.is-layout-flow .wp-block-co-authors-plus-image :where(img){vertical-align:middle}.wp-block-co-authors-plus-image:is(.alignfull,.alignwide) :where(img){width:100%}.wp-block-co-authors-plus-image:is(.alignleft,.alignright){display:table}.wp-block-co-authors-plus-image.aligncenter{display:table;margin-inline:auto} </style> <style id='safe-svg-svg-icon-style-inline-css'> .safe-svg-cover{text-align:center}.safe-svg-cover .safe-svg-inside{display:inline-block;max-width:100%}.safe-svg-cover svg{height:100%;max-height:100%;max-width:100%;width:100%} </style> <style id='classic-theme-styles-inline-css'> /*! This file is auto-generated */ .wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none} </style> <style id='global-styles-inline-css'> :root{--wp--preset--aspect-ratio--square: 1;--wp--preset--aspect-ratio--4-3: 4/3;--wp--preset--aspect-ratio--3-4: 3/4;--wp--preset--aspect-ratio--3-2: 3/2;--wp--preset--aspect-ratio--2-3: 2/3;--wp--preset--aspect-ratio--16-9: 16/9;--wp--preset--aspect-ratio--9-16: 9/16;--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flex{display: flex;}.is-layout-flex{flex-wrap: wrap;align-items: center;}.is-layout-flex > :is(*, div){margin: 0;}body .is-layout-grid{display: grid;}.is-layout-grid > :is(*, div){margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;} :where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;} :where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;} :root :where(.wp-block-pullquote){font-size: 1.5em;line-height: 1.6;} </style> <link rel='stylesheet' id='post-views-counter-frontend-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/post-views-counter/css/frontend.min.css?ver=1.4.7' media='all' /> <link rel='stylesheet' id='wpml-legacy-post-translations-0-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/sitepress-multilingual-cms/templates/language-switchers/legacy-post-translations/style.min.css?ver=1' media='all' /> <link rel='stylesheet' id='unit42-v6-style-css' href='https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/style.css?ver=1.0.0' media='all' /> <link rel='stylesheet' id='unit42-v6-head-styles-css' href='https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/css/head-styles.css?ver=1.0.0' media='all' /> <link rel='stylesheet' id='unit42-v5-custom-styles-css' href='https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/css/main.css?ver=1.0.0' media='all' /> <link rel='stylesheet' id='unit42-v6-plugin-styles-css' href='https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/css/plugin.css?ver=1.0.0' media='all' /> <link rel='stylesheet' id='unit42-v6-custom-styles-css' href='https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/css/main-redesign.css?ver=1.0.0' media='all' /> <link rel='stylesheet' id='like-dislike-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/like-dislike-counter-for-posts-pages-and-comments/css/ldc-lite.css?ver=1.0.0' media='all' /> <script src="https://unit42.paloaltonetworks.com/wp-includes/js/jquery/jquery.min.js?ver=3.7.1" id="jquery-core-js"></script> <script src="https://unit42.paloaltonetworks.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1" id="jquery-migrate-js"></script> <script id="crayon_js-js-extra"> var CrayonSyntaxSettings = {"version":"_2.7.2_beta","is_admin":"0","ajaxurl":"https:\/\/unit42.paloaltonetworks.com\/wp-admin\/admin-ajax.php","prefix":"crayon-","setting":"crayon-setting","selected":"crayon-setting-selected","changed":"crayon-setting-changed","special":"crayon-setting-special","orig_value":"data-orig-value","debug":""}; var CrayonSyntaxStrings = {"copy":"Press %s to Copy, %s to Paste","minimize":"Click To Expand Code"}; </script> <script src="https://unit42.paloaltonetworks.com/wp-content/plugins/crayon-syntax-highlighter/js/min/crayon.min.js?ver=_2.7.2_beta" id="crayon_js-js"></script> <script id="post-views-counter-frontend-js-before"> var pvcArgsFrontend = {"mode":"js","postID":108096,"requestURL":"https:\/\/unit42.paloaltonetworks.com\/wp-admin\/admin-ajax.php","nonce":"d9c79f6de5","dataStorage":"cookies","multisite":false,"path":"\/","domain":""}; </script> <script src="https://unit42.paloaltonetworks.com/wp-content/plugins/post-views-counter/js/frontend.min.js?ver=1.4.7" id="post-views-counter-frontend-js"></script> <script id="wpml-xdomain-data-js-extra"> var wpml_xdomain_data = {"css_selector":"wpml-ls-item","ajax_url":"https:\/\/unit42.paloaltonetworks.com\/wp-admin\/admin-ajax.php","current_lang":"en","_nonce":"7c3892bd55"}; </script> <script src="https://unit42.paloaltonetworks.com/wp-content/plugins/sitepress-multilingual-cms/res/js/xdomain-data.js?ver=4.6.13" id="wpml-xdomain-data-js" defer data-wp-strategy="defer"></script> <link rel="https://api.w.org/" href="https://unit42.paloaltonetworks.com/wp-json/" /><link rel="alternate" title="JSON" type="application/json" href="https://unit42.paloaltonetworks.com/wp-json/wp/v2/posts/108096" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://unit42.paloaltonetworks.com/xmlrpc.php?rsd" /> <meta name="generator" content="WordPress 6.6.2" /> <link rel='shortlink' href='https://unit42.paloaltonetworks.com/?p=108096' /> <link rel="alternate" title="oEmbed (JSON)" type="application/json+oembed" href="https://unit42.paloaltonetworks.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Funit42.paloaltonetworks.com%2Fvalak-evolution%2F" /> <link rel="alternate" title="oEmbed (XML)" type="text/xml+oembed" href="https://unit42.paloaltonetworks.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Funit42.paloaltonetworks.com%2Fvalak-evolution%2F&#038;format=xml" /> <meta name="generator" content="WPML ver:4.6.13 stt:1,28;" /> <meta name="google-site-verification" content="zHZtYOWm9hm4SZgsH7wqiYcOwmsAsxDUDU4UD1QxB40" /><style>#wpdevart_lb_overlay{background-color:#000000;} #wpdevart_lb_overlay.wpdevart_opacity{opacity:0.8 !important;} #wpdevart_lb_main_desc{ -webkit-transition: opacity 0.3s ease; -moz-transition: opacity 0.3s ease; -o-transition: opacity 0.3s ease; transition: opacity 0.3s ease;} #wpdevart_lb_information_content{ -webkit-transition: opacity 0.3s ease; -moz-transition: opacity 0.3s ease; -o-transition: opacity 0.3s ease; transition: opacity 0.3s ease;} #wpdevart_lb_information_content{ width:100%; padding-top:0px; padding-bottom:0px; } #wpdevart_info_counter_of_imgs{ display: inline-block; padding-left:15px; padding-right:4px; font-size:20px; color:#000000; } #wpdevart_info_caption{ display: inline-block; padding-left:15px; padding-right:4px; font-size:20px; color:#000000; } #wpdevart_info_title{ display: inline-block; padding-left:5px; padding-right:5px; font-size:15px; color:#000000; } @-webkit-keyframes rotate { to {-webkit-transform: rotate(360deg);} from {-webkit-transform: rotate(0deg);} } @keyframes rotate { to {transform: rotate(360deg);} from {transform: rotate(0deg);} } #wpdevart_lb_loading_img,#wpdevart_lb_loading_img_first{ -webkit-animation: rotate 2s linear infinite; animation: rotate 2s linear infinite; } </style> <link rel="icon" href="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-Unit42-180x180-1.png" sizes="32x32" /> <link rel="icon" href="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-Unit42-180x180-1.png" sizes="192x192" /> <link rel="apple-touch-icon" href="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-Unit42-180x180-1.png" /> <meta name="msapplication-TileImage" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-Unit42-180x180-1.png" /> <script>var $ = jQuery;</script> <script type="text/javascript"> ;(function(win, doc, style, timeout) { var STYLE_ID = 'at-body-style'; function getParent() { return doc.getElementsByTagName('head')[0]; } function addStyle(parent, id, def) { if (!parent) { return; } var style = doc.createElement('style'); style.id = id; style.innerHTML = def; parent.appendChild(style); } function removeStyle(parent, id) { if (!parent) { return; } var style = doc.getElementById(id); if (!style) { return; } parent.removeChild(style); } addStyle(getParent(), STYLE_ID, style); setTimeout(function() { removeStyle(getParent(), STYLE_ID); }, timeout); }(window, document, "body {visibility:hidden !important}", 3000)); </script> <script src="https://assets.adobedtm.com/9273d4aedcd2/0d76ae0322d7/launch-425c423d843b.min.js" async></script> <script type="text/javascript" src="https://www.paloaltonetworks.com/content/dam/pan/en_US/includes/attribution.js"></script> <script type="text/javascript"> var isIE11 = !!navigator.userAgent.match(/Trident.*rv\:11\./); if(isIE11){ var polyfill = 'https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/scripts/polyfill.min.js'; document.write('<script type="text/javascript" src="'+polyfill+'">\x3C/script>'); } /** * String.prototype.replaceAll() polyfill * https://gomakethings.com/how-to-replace-a-section-of-a-string-with-another-one-with-vanilla-js/ * @author Chris Ferdinandi * @license MIT */ if (!String.prototype.replaceAll) { String.prototype.replaceAll = function(str, newStr){ // If a regex pattern if (Object.prototype.toString.call(str).toLowerCase() === '[object regexp]') { return this.replace(str, newStr); } // If a string return this.replace(new RegExp(str, 'g'), newStr); }; } /*! lozad.js - v1.16.0 - 2020-09-06 */ !function(t,e){"object"==typeof exports&&"undefined"!=typeof module?module.exports=e():"function"==typeof define&&define.amd?define(e):t.lozad=e()}(this,function(){"use strict"; /** * Detect IE browser * @const {boolean} * @private */var g="undefined"!=typeof document&&document.documentMode,f={rootMargin:"0px",threshold:0,load:function(t){if("picture"===t.nodeName.toLowerCase()){var e=t.querySelector("img"),r=!1;null===e&&(e=document.createElement("img"),r=!0),g&&t.getAttribute("data-iesrc")&&(e.src=t.getAttribute("data-iesrc")),t.getAttribute("data-alt")&&(e.alt=t.getAttribute("data-alt")),r&&t.append(e)}if("video"===t.nodeName.toLowerCase()&&!t.getAttribute("data-src")&&t.children){for(var a=t.children,o=void 0,i=0;i<=a.length-1;i++)(o=a[i].getAttribute("data-src"))&&(a[i].src=o);t.load()}t.getAttribute("data-poster")&&(t.poster=t.getAttribute("data-poster")),t.getAttribute("data-src")&&(t.src=t.getAttribute("data-src")),t.getAttribute("data-srcset")&&t.setAttribute("srcset",t.getAttribute("data-srcset"));var n=",";if(t.getAttribute("data-background-delimiter")&&(n=t.getAttribute("data-background-delimiter")),t.getAttribute("data-background-image"))t.style.backgroundImage="url('"+t.getAttribute("data-background-image").split(n).join("'),url('")+"')";else if(t.getAttribute("data-background-image-set")){var d=t.getAttribute("data-background-image-set").split(n),u=d[0].substr(0,d[0].indexOf(" "))||d[0];// Substring before ... 1x u=-1===u.indexOf("url(")?"url("+u+")":u,1===d.length?t.style.backgroundImage=u:t.setAttribute("style",(t.getAttribute("style")||"")+"background-image: "+u+"; background-image: -webkit-image-set("+d+"); background-image: image-set("+d+")")}t.getAttribute("data-toggle-class")&&t.classList.toggle(t.getAttribute("data-toggle-class"))},loaded:function(){}};function A(t){t.setAttribute("data-loaded",!0)}var m=function(t){return"true"===t.getAttribute("data-loaded")},v=function(t){var e=1<arguments.length&&void 0!==arguments[1]?arguments[1]:document;return t instanceof Element?[t]:t instanceof NodeList?t:e.querySelectorAll(t)};return function(){var r,a,o=0<arguments.length&&void 0!==arguments[0]?arguments[0]:".lozad",t=1<arguments.length&&void 0!==arguments[1]?arguments[1]:{},e=Object.assign({},f,t),i=e.root,n=e.rootMargin,d=e.threshold,u=e.load,g=e.loaded,s=void 0;"undefined"!=typeof window&&window.IntersectionObserver&&(s=new IntersectionObserver((r=u,a=g,function(t,e){t.forEach(function(t){(0<t.intersectionRatio||t.isIntersecting)&&(e.unobserve(t.target),m(t.target)||(r(t.target),A(t.target),a(t.target)))})}),{root:i,rootMargin:n,threshold:d}));for(var c,l=v(o,i),b=0;b<l.length;b++)(c=l[b]).getAttribute("data-placeholder-background")&&(c.style.background=c.getAttribute("data-placeholder-background"));return{observe:function(){for(var t=v(o,i),e=0;e<t.length;e++)m(t[e])||(s?s.observe(t[e]):(u(t[e]),A(t[e]),g(t[e])))},triggerLoad:function(t){m(t)||(u(t),A(t),g(t))},observer:s}}}); </script> <!-- <script src="https://www.google.com/recaptcha/api.js"></script> --> <!-- End: Scripts Migrated From Unit42-v5 --> </head> <body class="post-template-default single single-post postid-108096 single-format-standard no-sidebar"> <header class="haeder py-15 position-relative z-index-2" style="display: none;"> <div class="container px-sm-30 px-35"> <div class="row"> <div class="first-logo col-sm-auto col-6 mb-sm-0 mb-40 text-sm-center order-1"> <a href="https://www.paloaltonetworks.com/"> <img src="/wp-content/uploads/2021/07/PANW_Parent.png" width="140px" alt="Logo" /> </a> </div> <div class="col-sm-auto col-6 text-sm-center order-sm-2 order-4 second-logo-unit"> <a href="https://unit42.paloaltonetworks.com/"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/unit42-logo-white.svg" class="attachment-full size-full" alt="Unit42 Logo" width="150" height="35"/> </a> </div> <div class="col-auto d-sm-none ml-auto mb-40 order-2"> <button class="btn__search" data-toggle="collapse" data-target="#search" aria-label="search"><i class="ui ui-1"></i></button> </div> <div id="search" class="collapse d-sm-block col-sm-auto col-12 ml-auto order-3"> <div class="pt-sm-0 pt-20 pb-sm-0 pb-40 mt-sm-0 mt-n30"> <input type="search" placeholder="Search Unit 42" id="innerSearch" class="header__search" value="" required aria-label="Inner Search"> </div> </div> <div class="col-auto d-sm-none d-flex ml-auto align-items-center order-5"> <button class="btn__menu rounded" data-toggle="collapse" data-target="#navigation">Menu</button> </div> </div> </div> </header> <nav id="navigation" class="site-nav collapse d-sm-block pb-20 mt-sm-10" style="display: none!important;"> <div class="container px-sm-30"> <ul id="menu-primary-navigation" class="main-menu d-sm-flex font-weight-medium"><li id="menu-item-97290" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-97290"><a href="https://unit42.paloaltonetworks.com/tools/">Tools</a></li> <li id="menu-item-41" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-41"><a href="https://unit42.paloaltonetworks.com/atoms/">ATOMs</a></li> <li id="menu-item-119884" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-119884"><a target="_blank" rel="noopener" href="https://www.paloaltonetworks.com/unit42">Security Consulting</a></li> <li id="menu-item-81229" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-81229"><a href="https://unit42.paloaltonetworks.com/about-unit-42/">About Us</a></li> <li id="menu-item-121229" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-121229"><a href="https://start.paloaltonetworks.com/contact-unit42.html"><b style="color:#C84727">Under Attack?</b></a></li> </ul> </div> </nav> <div class="panClean pan-template-home" id="main-nav-menu-cont" style="display:none;"> <div class="cleanHeader mainNavigationComp baseComponent parbase"> <div class="productNav2021Component dark default" id="PAN_2021_NAV_ASYNC"> </div> </div> <div class="cleanTopHtml htmlComp baseComponent parbase"><div class="base-component-spacer spacer-none "></div> </div> </div> <!-- Start: Scripts Migrated From Unit42-v5 --> <script type="text/javascript"> function getCookie(cname) { var name = cname + "="; var decodedCookie = decodeURIComponent(document.cookie); var ca = decodedCookie.split(';'); for(var i = 0; i <ca.length; i++) { var c = ca[i]; while (c.charAt(0) == ' ') { c = c.substring(1); } if (c.indexOf(name) == 0) { return c.substring(name.length, c.length); } } return ""; } var referer = "";//sessionStorage.container; var pcontainer = sessionStorage.getItem("container"); var searchResultsPagePath = ""; if(((pcontainer) && pcontainer.indexOf('Prisma')!=-1)){ referer = 'Prisma' ; } else if(((pcontainer) && pcontainer.indexOf('Cortex')!=-1)){ referer = 'Cortex' ; } else if(((pcontainer) && pcontainer.indexOf('Sase')!=-1)){ referer = 'Sase' ; } else if(((pcontainer) && pcontainer.indexOf('Unit')!=-1)){ referer = 'Unit' ; } else if(((pcontainer) && pcontainer.indexOf('Ngfw')!=-1)){ referer = 'Ngfw' ; } var fromRef = document.referrer; var nContainer = getCookie("navContainer"); if(nContainer){//If user is coming from main site, we need to reset the container if(fromRef && fromRef.indexOf("prismacloud.io")!=-1){ referer = 'Prisma' ; sessionStorage.setItem("container","Prisma"); } else if(fromRef.indexOf("paloaltonetworks.com")!=-1 || fromRef.indexOf("paloaltonetworks.jp")!=-1 ){ if(nContainer.indexOf('Prisma') != -1){ referer = 'Prisma' ; sessionStorage.setItem("container","Prisma"); } if(nContainer.indexOf('Cortex') != -1){ referer = 'Cortex' ; sessionStorage.setItem("container","Cortex"); } if(nContainer.indexOf('Sase') != -1){ referer = 'Sase' ; sessionStorage.setItem("container","Sase"); } if(nContainer.indexOf('Unit') != -1){ referer = 'Unit' ; sessionStorage.setItem("container","Unit"); } if(nContainer.indexOf('Ngfw') != -1){ referer = 'Ngfw' ; sessionStorage.setItem("container","Ngfw"); } document.cookie = 'navContainer=; path=/; domain=.paloaltonetworks.com; expires=' + new Date(0).toUTCString(); } } if(referer != "Prisma" && referer != "Cortex" && referer != "Sase" && referer != "Unit" && referer != "Ngfw") { referer = 'Unit' ; sessionStorage.setItem("container","Unit"); } function callMainSitePrismaNavHTML(){ var referrer_domain = 'https://www.paloaltonetworks.com'; sessionStorage.setItem("domain",referrer_domain); if(referer == 'Prisma'){ var menu_url = referrer_domain+'/_jcr_content/globals/cleanHeaderPrisma.prismaRenderer.html'; searchResultsPagePath = referrer_domain+"/search/prismasearch"; } if(referer == 'Cortex'){ var menu_url = referrer_domain+'/_jcr_content/globals/cleanHeaderCortex.cortexRenderer.html'; searchResultsPagePath = referrer_domain+"/search/cortexsearch"; } if(referer == 'Sase'){ var menu_url = referrer_domain+'/_jcr_content/globals/cleanHeaderSase.saseRenderer.html'; searchResultsPagePath = referrer_domain+"/search/sasesearch"; } if(referer == 'Unit'){ var menu_url = 'https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/unit-nav-renderer.php'; searchResultsPagePath = referrer_domain+"/content/pan/en_US/search/unit42search"; } if(referer == 'Ngfw'){ var menu_url = 'https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/ngfw-cdss-nav-renderer.php'; searchResultsPagePath = referrer_domain+"/search/ngfwcdsssearch"; } httpGet(menu_url,'menu_html'); document.getElementById('main-nav-menu-cont').removeAttribute("style"); } function addStyle(styles) { /* Create style document */ var css = document.createElement('style'); css.type = 'text/css'; if (css.styleSheet) css.styleSheet.cssText = styles; else css.appendChild(document.createTextNode(styles)); /* Append style to the tag name */ document.getElementsByTagName("head")[0].appendChild(css); } function httpGet(theUrl,req_type) { if (window.XMLHttpRequest) { // code for IE7+, Firefox, Chrome, Opera, Safari xmlhttp=new XMLHttpRequest(); } else {// code for IE6, IE5 xmlhttp=new ActiveXObject("Microsoft.XMLHTTP"); } xmlhttp.onreadystatechange=function() { if (xmlhttp.readyState==4 && xmlhttp.status==200) { if(req_type == 'menu_html'){ var nav_text = xmlhttp.responseText.replaceAll('https://static.cloud.coveo.com/searchui/v2.9159/js/CoveoJsSearch.Lazy.min.js', ''); nav_text = nav_text.replaceAll('src="/', 'src="'+maindomain_lang+'/'); nav_text = nav_text.replaceAll("'/content", "'"+maindomain_lang+"/content"); document.getElementById("PAN_2021_NAV_ASYNC").innerHTML = nav_text.replaceAll('href="/', 'href="'+maindomain_lang+'/'); var lozad_back = document.getElementsByClassName('lozad-background'); Array.prototype.forEach.call(lozad_back, function(el) { // Do stuff here var el_back_img_path = el.getAttribute('data-background-image'); var first_pos = el_back_img_path.indexOf("'"); var last_pos = el_back_img_path.indexOf("'",first_pos+1); el_back_img_path = el_back_img_path.substring(first_pos+1,last_pos); el.setAttribute("data-background-image",main_site_url+el_back_img_path); }); } if(req_type == 'head_inline_css'){ addStyle(xmlhttp.responseText); } } } xmlhttp.open("GET", theUrl, true ); xmlhttp.send(); } if(referer == 'Prisma' || referer == 'Cortex' || referer == 'Sase' || referer == 'Unit' || referer == 'Ngfw'){ const article = document.querySelector('#PAN_2021_NAV_ASYNC'); if(referer == 'Prisma'){ article.dataset.type = 'prisma'; $('#PAN_2021_NAV_ASYNC').removeClass('default').addClass('defaultRedesigned'); } else if(referer == 'Cortex'){ article.dataset.type = 'cortex'; } else if(referer == 'Sase'){ article.dataset.type = 'sase'; } else if(referer == 'Unit'){ article.dataset.type = 'unit'; } else if(referer == 'Ngfw'){ article.dataset.type = 'ngfw'; } //set class to default if(referer == 'Unit' || referer == 'Ngfw'){ $('#PAN_2021_NAV_ASYNC').removeClass('default').addClass('defaultRedesigned'); } callMainSitePrismaNavHTML(); } </script> <!-- End: Scripts Migrated From Unit42-v5 --> <main class="main"> <section class="section section--article"> <div class="pa article-banner" style="background-image:url('https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/09_Security-Technology_Category_1920x900.jpg')"> <div class="l-container"> <div class="l-breadcrumbs"> <ul> <li> <a href="https://unit42.paloaltonetworks.com" role="link" title="Threat Research" data-page-track="true" data-page-track-value="valak-evolution:hero:breadcrumb:Threat Research">Threat Research Center</a></li><li><a href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" title="Threat Research" data-page-track="true" data-page-track-value="valak-evolution:hero:breadcrumb:Threat Research">Threat Research</a></li><li class="is-current"><a href="https://unit42.paloaltonetworks.com/category/malware/" role="link" title="Malware" data-page-track="true" data-page-track-value="valak-evolution:hero:breadcrumb:Malware">Malware</a></li> </ul> </div> <div class="ab__title"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/malware/" role="link" data-page-track="true" data-page-track-value="valak-evolution:hero:Malware"><span class="ab-title__pre">Malware</span></a> <h1>Evolution of Valak, from Its Beginnings to Mass Distribution</h1> <div class="ab__video"> <span class="duration"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-clock.svg" alt="Clock Icon"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 11</span> <span class="rt-label rt-postfix"></span></span> min read </span> </div> <div class="ab-lc__wrapper"> <span class="ab-title__pre">Related Products</span><div class="ab__link-cards"><a class="l-linkcard is-blue" href="https://unit42.paloaltonetworks.com/product-category/cortex-xdr/" style="--card-color: #00cc66" role="link" title="Cortex XDR" data-page-track="true" data-page-track-value="valak-evolution:hero:Cortex XDR"><img src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/cortex_RGB_logo_Icon_Color.png" alt="Cortex XDR icon">Cortex XDR</a></div> </div> </div> </div> <div class="ab__footer"> <div class="l-container"> <div class="ab__footer-wrapper"> <ul class="ab__features" role="list"> <li role="listitem"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-profile-grey.svg" alt="Profile Icon"> <div class="ab__text"><span>By:</span><ul class="ab__tags"><li><a data-page-track="true" data-page-track-value="valak-evolution:hero:Brad Duncan" href="https://unit42.paloaltonetworks.com/author/bduncan/">Brad Duncan</a></li></ul></div></li> <li role="listitem"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-calendar-grey.svg" alt="Published Icon"> <div class="ab__text"><span>Published:</span>July 24, 2020</div></li> <li role="listitem"><img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-category.svg" alt="Tags Icon"><div class="ab__text"><span>Categories:</span><ul class="ab__tags"><li><a data-page-track="true" data-page-track-value="valak-evolution:hero:Cybercrime" href="https://unit42.paloaltonetworks.com/category/cybercrime/">Cybercrime</a></li><li><a data-page-track="true" data-page-track-value="valak-evolution:hero:Malware" href="https://unit42.paloaltonetworks.com/category/malware/">Malware</a></li><li><a data-page-track="true" data-page-track-value="valak-evolution:hero:Threat Research" href="https://unit42.paloaltonetworks.com/category/threat-research/">Threat Research</a></li></ul></div> </li> <li role="listitem"><img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-tags-grey.svg" alt="Tags Icon"><div class="ab__text"><span>Tags:</span><ul class="ab__tags"><li><a data-page-track="true" data-page-track-value="valak-evolution:hero:Valak" href="https://unit42.paloaltonetworks.com/tag/valak/">Valak</a></li></ul></div> </li> </ul> <div class="ab__options"> <ul role="list"> <li role="listitem"><a href="https://unit42.paloaltonetworks.com/valak-evolution/?pdf=download&#038;lg=en&#038;_wpnonce=09a12da0f1" role="link" target="_blank" title="Click here to download" data-page-track="true" data-page-track-value="valak-evolution:hero:pdfdownload"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-download.svg" alt="Download Icon"></a></li> <li role="listitem"><a href="https://unit42.paloaltonetworks.com/valak-evolution/?pdf=print&#038;lg=en&#038;_wpnonce=09a12da0f1" target="_blank" role="link" title="Click here to print" data-page-track="true" data-page-track-value="valak-evolution:hero:pdfprint"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-print.svg" alt="Print Icon"></a></li> </ul> <div class="ab__share" id="shareDropdown" role="button" aria-expanded="false"> <a href="#" role="link" title="Click here to share" data-page-track="true" data-page-track-value="valak-evolution:share" class="">Share<img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/down-arrow.svg" alt="Down arrow"></a><ul class="share-dropdown" role="menu"> <li role="menuitem"> <a href="#" class="copy-url" id="copyUrl" data-url="https://unit42.paloaltonetworks.com/valak-evolution/" role="link" title="Copy link" data-page-track="true" data-page-track-value="valak-evolution:share:link"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-share-link.svg" alt="Link Icon"></a> </li> <li role="menuitem"> <a href="mailto:?subject=Evolution%20of%20Valak,%20from%20Its%20Beginnings%20to%20Mass%20Distribution&#038;body=Check%20out%20this%20article%20https%3A%2F%2Funit42.paloaltonetworks.com%2Fvalak-evolution%2F" role="link" title="Share in email" data-page-track="true" data-page-track-value="valak-evolution:share:email"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-sms.svg" alt="Link Email"></a> </li> <li role="menuitem"> <a href="https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Funit42.paloaltonetworks.com%2Fvalak-evolution%2F" target="_blank" role="link" title="Share in Facebook" data-page-track="true" data-page-track-value="valak-evolution:share:facebook"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-fb-share.svg" alt="Facebook Icon"></a> </li> <li role="menuitem"> <a href="https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Funit42.paloaltonetworks.com%2Fvalak-evolution%2F&#038;title=Evolution%20of%20Valak,%20from%20Its%20Beginnings%20to%20Mass%20Distribution" target="_blank" role="link" title="Share in LinkedIn" data-page-track="true" data-page-track-value="valak-evolution:share:linkedin"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-linkedin-share.svg" alt="LinkedIn Icon"></a> </li> <li role="menuitem"> <a href="https://twitter.com/intent/tweet?url=https%3A%2F%2Funit42.paloaltonetworks.com%2Fvalak-evolution%2F&#038;text=Evolution%20of%20Valak,%20from%20Its%20Beginnings%20to%20Mass%20Distribution" target="_blank" role="link" title="Share in Twitter" data-page-track="true" data-page-track-value="valak-evolution:share:twitter"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-twitter-share.svg" alt="Twitter Icon"></a> </li> <li role="menuitem"> <a href="//www.reddit.com/submit?url=https%3A%2F%2Funit42.paloaltonetworks.com%2Fvalak-evolution%2F" target="_blank" role="link" title="Share in Reddit" data-page-track="true" data-page-track-value="valak-evolution:share:reddit"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-reddit-share.svg" alt="Reddit Icon"></a> </li> <li role="menuitem"> <a href="https://mastodon.social/share?text=Evolution%20of%20Valak,%20from%20Its%20Beginnings%20to%20Mass%20Distribution%20https%3A%2F%2Funit42.paloaltonetworks.com%2Fvalak-evolution%2F" target="_blank" role="link" title="Share in Mastodon" data-page-track="true" data-page-track-value="valak-evolution:share:mastodon"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-mastodon-share.svg" alt="Mastodon Icon"></a> </li> </ul> </div> </div> </div> </div> </div> </div> </section> <section class="section blog-contents"> <div class="pa blog-editor"> <div class="l-container"> <div class="be__wrapper"> <div class="be__contents"> <div class="be__contents-wrapper"> <p class="wpml-ls-statics-post_translations wpml-ls">This post is also available in: <span class="wpml-ls-slot-post_translations wpml-ls-item wpml-ls-item-ja wpml-ls-first-item wpml-ls-last-item wpml-ls-item-legacy-post-translations"><a href="https://unit42.paloaltonetworks.jp/valak-evolution/" class="wpml-ls-link"><span class="wpml-ls-native" lang="ja">日本語</span><span class="wpml-ls-display"><span class="wpml-ls-bracket"> (</span>Japanese<span class="wpml-ls-bracket">)</span></span></a></span></p><h2><strong>Executive Summary</strong></h2> <p>First noted in late 2019, Valak is an information stealer and malware loader that has become increasingly common in our threat landscape. From April through June of 2020, we saw waves of Valak malware two to four times a week on average through an email distribution network nicknamed Shathak or TA551. Characteristics of Valak include:</p> <ul> <li>Valak relies on <a href="https://attack.mitre.org/techniques/T1053/005/">scheduled tasks</a> and <a href="https://attack.mitre.org/techniques/T1547/001/">Windows registry updates</a> to remain persistent on an infected Windows host.</li> <li>Valak uses <a href="https://www.sans.org/blog/alternate-data-streams-overview/">Alternate Data Stream (ADS)</a> as a technique to run follow-up malware on an infected host.</li> <li>Recent Valak infections show an increase in obfuscated code for configuration scripts used during the infection, possibly as an attempt to avoid detection.</li> <li>Since April 2020, we have seen a great deal of Valak malware distributed by an actor sometimes referred to as Shathak/TA551.</li> </ul> <p>This blog covers the history of Valak, reviews the chain of events for an infection, examines traffic generated by Valak and explores recent updates in obfuscation techniques used by the malware in order to evade detection. This blog also examines the Shathak/TA551 distribution system that has been consistently pushing Valak since April 2020.</p> <p>Palo Alto Networks customers are protected from Valak by our <a href="https://www.paloaltonetworks.com/products/secure-the-network/subscriptions/threat-prevention">Threat Prevention subscription</a> for the Next-Generation Firewall.</p> <h2>Valak History</h2> <p>The earliest public record of Valak comes from Proofpoint's ET Pro ruleset, where <a href="https://www.proofpoint.com/us/daily-ruleset-update-summary-20191022">two rules detecting Valak were introduced on October 22, 2019</a>, for the Suricata Open Source threat detection engine.</p> <p>Valak was documented<a href="https://www.malware-traffic-analysis.net/2019/12/19/index.html"> as follow-up malware during an Ursnif infection</a> (also known as Gozi or IFSB) on December 19, 2019. <a href="https://www.cybereason.com/blog/valak-more-than-meets-the-eye">Analysis by Cybereason</a> revealed Valak used a combination of techniques to remain persistent on an infected Windows host. Valak relies on scheduled tasks combined with Windows registry updates. It also uses <a href="https://www.sans.org/blog/alternate-data-streams-overview/">Alternate Data Stream (ADS)</a> during the infection process for follow-up malware.</p> <p>Most examples of Valak in recent months have been distributed through malicious spam (malspam). SentinelLabs (SentinelOne) published <a href="https://labs.sentinelone.com/valak-malware-and-the-connection-to-gozi-loader-confcrew/">a report providing further information about Valak</a>, including a connection between Valak malware distribution and campaigns similar to the “Gozi ConfCrew.” Distribution characteristics were further explored in a <a href="https://blog.talosintelligence.com/2020/07/valak-emerges.html">Threat Spotlight on Valak</a> published by Talos (Cisco).</p> <p>The distribution network using malspam to push Valak has been called<a href="https://twitter.com/luc4m/status/1265194192768315392"> Shathak</a> on Twitter. Shathak has been<a href="https://malware.dontneedcoffee.com/refs/actors/ta551/"> attributed to an actor named TA551</a> on the Malware Don’t Need Coffee blog.</p> <h2>Chain of Events</h2> <figure id="attachment_108101" aria-describedby="caption-attachment-108101" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-108101 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2020/07/word-image.jpeg" alt="This image illustrates the chain of events observed for recent Valak malware activity. Beginning with Shathak/TA551 distribution, the process includes malspan, password-protected ZIP attachment, extracting a Word document with macros from that attachment, enabling macros and then leading to an HTTP URL ending in .cab. This leads to downloading the initial Valak binary, configuring the script for the initial infection activity, HTTP Valak C2 traffic, and making Valak persistent through JS file, registry entries and scheduled tasks. More Valak C2 traffic can lead to followup malware added as ADS to text file, initially run through scheduled task. " width="900" height="517" /><figcaption id="caption-attachment-108101" class="wp-caption-text">Figure 1. Chain of events for recent Valak malware activity.</figcaption></figure> <p>Figure 1 shows the chain of events seen for Valak infections in June and early July 2020. For a Windows computer to become infected, a victim must:</p> <ul> <li>Open malspam with password-protected ZIP attachment. On June 30 and July 1, 2020, we saw indications there may also have been a link to download a ZIP archive instead of an attachment.</li> <li>Extract Microsoft Word document from the password-protected ZIP archive using a unique password from the message text.</li> <li>Open the Word document as shown below in Figure 2 and enable macros.</li> </ul> <figure id="attachment_108103" aria-describedby="caption-attachment-108103" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-108103 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2020/07/word-image-1.jpeg" alt="The text in the screenshot reads: &quot;This document created in previous version of Microsoft Office Word. To view or edit this document, please click 'Enable editing' button on the top bar, and then click 'Enable content.'&quot; This message is designed to trick the recipient into enabling macros for Valak. " width="900" height="663" /><figcaption id="caption-attachment-108103" class="wp-caption-text">Figure 2. Example of a Microsoft Word document from June 24, 2020, with macros for Valak.</figcaption></figure> <p>For Valak infections during June 2020, the initial activity consisted of:</p> <ul> <li>An HTTP or HTTPS URL ending with <span style="font-family: 'courier new', courier, monospace;">.cab</span> that returned a DLL to install Valak.</li> <li>Valak DLL was saved to the <span style="font-family: 'courier new', courier, monospace;">C:\ProgramData\</span> directory using a random file name, usually with a <span style="font-family: 'courier new', courier, monospace;">.dat</span> or <span style="font-family: 'courier new', courier, monospace;">.jpg</span> file extension, as shown in Figure 3.</li> <li>Valak DLL was run using <span style="font-family: 'courier new', courier, monospace;">regsvr32.exe -s</span> <em>[filename]</em></li> <li>Popup message stating the DLL was successfully run, as shown in Figure 4.</li> <li>A JavaScript configuration file appeared as a random file name (always the same name for each wave of infections) under the <span style="font-family: 'courier new', courier, monospace;">C:\Users\Public\ directory</span>, as shown in Figures 5 and 6.</li> <li>Initial HTTP command and control (C2) traffic returned encoded ASCII text used to create additional malware/artifacts for the infection.</li> </ul> <figure id="attachment_108105" aria-describedby="caption-attachment-108105" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-108105 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2020/07/word-image-2.jpeg" alt="Valak DLL is saved to the C:\ProgramData\ directory using a random file name, as shown in this screenshot. " width="900" height="349" /><figcaption id="caption-attachment-108105" class="wp-caption-text">Figure 3. Initial Valak DLL retrieved after enabling macros on the Word document from Figure 2.</figcaption></figure> <figure id="attachment_108107" aria-describedby="caption-attachment-108107" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-108107 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2020/07/word-image-3.jpeg" alt="Message shown in screenshot: RegSvr32, DllRegisterServer in c:\programdata\51508.jpg succeeded. A link is present for the user to click OK. " width="900" height="340" /><figcaption id="caption-attachment-108107" class="wp-caption-text">Figure 4. Pop-up message on a Windows 10 host when an initial Valak DLL was successfully run using RegSvr32.exe after macros were enabled on June 24, 2020.</figcaption></figure> <figure id="attachment_108109" aria-describedby="caption-attachment-108109" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-108109 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2020/07/word-image-4.jpeg" alt="A JavaScript configuration file appears as a random file name under the C:\Users\Public\ directory" width="900" height="291" /><figcaption id="caption-attachment-108109" class="wp-caption-text">Figure 5. Initial script file in C:\Users\Public\ directory used during Valak infection from June 24, 2020.</figcaption></figure> <figure id="attachment_108111" aria-describedby="caption-attachment-108111" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-108111 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2020/07/word-image-5.jpeg" alt="The screenshot shows how Valak obfuscates variable names in the JavaScript configuration file. This is an example of obfuscation that we have noted since June 2020. " width="900" height="500" /><figcaption id="caption-attachment-108111" class="wp-caption-text">Figure 6. Contents of the JavaScript configuration file from June 24, 2020.</figcaption></figure> <p>Figure 6 reveals variable names are obfuscated in the JavaScript configuration file. This is an example of obfuscation that we have noted since June 2020, and it is covered in more detail later in this blog when discussing Valak developments.</p> <p>As the infection progressed, three things happened near-simultaneously to make Valak persistent on an infected Windows host:</p> <ul> <li>A Windows executable (EXE) appeared in the infected user's <span style="font-family: 'courier new', courier, monospace;">AppData\Local\Temp</span> directory as a random file name ending in <span style="font-family: 'courier new', courier, monospace;">.bin</span> (PE32 executable, Mono/.Net assembly), as shown in Figure 7.</li> <li>Windows registry entries were created under the key for <span style="font-family: 'courier new', courier, monospace;">HKCU\SOFTWARE\ApplicationContainer\Appsw64</span></li> <li>A randomly-named text file and JavaScript (JS) file both appeared under the <span style="font-family: 'courier new', courier, monospace;">C:\Users\Public\ directory</span>, as shown in Figures 8, 9 and 10.</li> <li>A scheduled task was created to run the JS file located under <span style="font-family: 'courier new', courier, monospace;">C:\Users\Public\</span> and repeat running it every four minutes, as shown in Figure 11.</li> </ul> <figure id="attachment_108113" aria-describedby="caption-attachment-108113" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-108113 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2020/07/word-image-6.jpeg" alt="A Windows executable appeared in the infected user's AppData\Local\Temp directory as a random file name ending in .bin" width="900" height="286" /><figcaption id="caption-attachment-108113" class="wp-caption-text">Figure 7. EXE file with a .bin file extension from the June 24, 2020, Valak infection.</figcaption></figure> <figure id="attachment_108115" aria-describedby="caption-attachment-108115" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-108115 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2020/07/word-image-7.jpeg" alt="A randomly-named text file and JavaScript (JS) file both appeared under the C:\Users\Public\ directory." width="900" height="349" /><figcaption id="caption-attachment-108115" class="wp-caption-text">Figure 8. Additional artifacts in the C:\Users\Public\ directory created during the infection.</figcaption></figure> <figure id="attachment_108117" aria-describedby="caption-attachment-108117" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-108117 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2020/07/word-image-8.jpeg" alt="Displayed in WordPad, we see the contents of the text file, which is a random string. " width="900" height="480" /><figcaption id="caption-attachment-108117" class="wp-caption-text">Figure 9. Contents of the text file, a random string of text.</figcaption></figure> <figure id="attachment_108119" aria-describedby="caption-attachment-108119" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-108119 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2020/07/word-image-9.jpeg" alt="Within the contents of the JS file used to keep the Valak infection persistent, we identified a 32-character ASCII string representing a hexadecimal value that identifies the infected Windows host" width="900" height="500" /><figcaption id="caption-attachment-108119" class="wp-caption-text">Figure 10. Contents of the JS file used to keep the Valak infection persistent.</figcaption></figure> <figure id="attachment_108121" aria-describedby="caption-attachment-108121" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-108121 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2020/07/word-image-10.jpeg" alt="The screenshot shows the context of a scheduled task that keeps the Valak infection persistent. Some of the text reads: &quot;Smart Update Service - After triggered, repeat every 00:04:00 indefinitely.&quot;" width="900" height="363" /><figcaption id="caption-attachment-108121" class="wp-caption-text">Figure 11. Scheduled task for JS file used to keep the Valak infection persistent.</figcaption></figure> <p>If the C2 domains remained active during the infection, as early as four minutes later, we saw follow-up malware:</p> <ul> <li>Valak C2 traffic returned encoded ASCII text used to create a follow-up malware EXE.</li> <li>The follow-up malware EXE was appended to the randomly-named text file in <span style="font-family: 'courier new', courier, monospace;">C:\Users\Public</span> using ADS, as shown in Figure 12.</li> <li>A scheduled task was created to run the follow-up malware EXE once, shortly after it was created, as shown in Figure 13.</li> </ul> <figure id="attachment_108123" aria-describedby="caption-attachment-108123" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-108123 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2020/07/word-image-11.jpeg" alt="The top section of the screenshot shows the AlternateStreamView, appended with ADS for follow-up malware. The lower section of the screenshot shows the text file modified after it first appeared. " width="900" height="494" /><figcaption id="caption-attachment-108123" class="wp-caption-text">Figure 12. Text file in C:\Users\Public\ directory updated with ADS.</figcaption></figure> <figure id="attachment_108125" aria-describedby="caption-attachment-108125" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-108125 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2020/07/word-image-12.jpeg" alt="In addition to Smart Update Service, the screenshot shows an additional scheduled task to run follow-up malware (WSUPackage...)" width="900" height="363" /><figcaption id="caption-attachment-108125" class="wp-caption-text">Figure 13. Scheduled task to run the follow-up malware.</figcaption></figure> <p>In our tests, running Valak from a U.S. location on a vulnerable Windows 10 host returned a banking Trojan called <a href="https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid">IcedID</a> as the follow-up malware. In one case, we saw both IcedID and <a href="https://threatpost.com/netsupport-manager-rat-nortonlifelock-docs/153387/">NetSupport Manager RAT-based malware</a> delivered as follow-up malware on a Windows 7 host <a href="https://twitter.com/malware_traffic/status/1276640971367776259">from June 2020</a>.</p> <h2><strong>Valak Infection Traffic</strong></h2> <p>The infection starts when a victim enables macros on one of the malicious documents. This usually generates a URL ending with <span style="font-family: 'courier new', courier, monospace;">.cab</span> that returns a Windows DLL file. Figure 14 shows <a href="https://www.malware-traffic-analysis.net/2020/06/24/index.html">a Valak infection from June 24, 2020</a>, filtered in Wireshark to list the HTTP requests and other web-based traffic. The first line shows a URL that ends with <span style="font-family: 'courier new', courier, monospace;">.cab</span>. A TCP stream of this activity is shown in Figure 15, and it reveals signs of an EXE or DLL file returned from the server.</p> <figure id="attachment_108127" aria-describedby="caption-attachment-108127" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-108127 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2020/07/word-image-13.jpeg" alt="This shows a log of traffic from a Valak infection with IcedID as the follow-up malware." width="900" height="504" /><figcaption id="caption-attachment-108127" class="wp-caption-text">Figure 14. Traffic from a Valak infection with IcedID as the follow-up malware from June 2020 filtered in Wireshark.</figcaption></figure> <figure id="attachment_108129" aria-describedby="caption-attachment-108129" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-108129 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2020/07/word-image-14.jpeg" alt="Indicators of an EXE or DLL file returned from the server. " width="900" height="484" /><figcaption id="caption-attachment-108129" class="wp-caption-text">Figure 15. TCP stream for the HTTP GET request ending in .cab that returned a Windows DLL file.</figcaption></figure> <p><a href="https://www.virustotal.com/gui/file/0f0d870fcad3e935d191e4076bfdc3812c278c3bdb6ec2233d71d9cf14a04a17/">Checking the binary in VirusTotal</a> shows this file is a DLL. This DLL is an installer for Valak. Shortly after the initial HTTP traffic for the Valak DLL, we see other HTTP GET requests starting with:</p> <ul> <li><span style="font-family: 'courier new', courier, monospace;">license.jsp?client=</span></li> <li><span style="font-family: 'courier new', courier, monospace;">archive.jsp?page=</span></li> <li><span style="font-family: 'courier new', courier, monospace;">db.aspx?dfc=</span></li> </ul> <p>The HTTP requests are Valak C2 traffic, which is sent to decoy domains (non-malicious domains from legitimate organizations) and malicious domains. These domains are listed in the initial Valak script previously shown in Figure 5. For example, for Valak infections from the June 24, 2020, wave, the decoy domains were:</p> <ul> <li><span style="font-family: 'courier new', courier, monospace;">e87.dspb.akamaidege.net</span></li> <li><span style="font-family: 'courier new', courier, monospace;">insiderppe.cloudapp.net</span></li> <li><span style="font-family: 'courier new', courier, monospace;">pagead46.l.doubleclick.net</span></li> </ul> <p>Also noted in Figure 5 are the malicious domains from the June 24, 2020, wave of Valak:</p> <ul> <li><span style="font-family: 'courier new', courier, monospace;">thepicklepilot.com</span></li> <li><span style="font-family: 'courier new', courier, monospace;">joonaskallinen.com</span></li> <li><span style="font-family: 'courier new', courier, monospace;">xfitnessproducts.com</span></li> </ul> <p>Figure 5 also shows three additional domains from the June 24, 2020, wave of Valak. These domains appear to be fake or possibly placeholders because they were not registered and did not resolve to any IP address.</p> <ul> <li><span style="font-family: 'courier new', courier, monospace;">59xidd-fuel.com</span></li> <li><span style="font-family: 'courier new', courier, monospace;">19geds-space.com</span></li> <li><span style="font-family: 'courier new', courier, monospace;">55sfors-cask.com</span></li> </ul> <p>Valak C2 traffic returns data as encoded ASCII text that is decoded on the victim host and saved as malware items like script files, EXE used during the infection and data for registry updates for the Valak infection. Figure 16 shows an example of this traffic.</p> <figure id="attachment_108131" aria-describedby="caption-attachment-108131" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-108131 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2020/07/word-image-15.jpeg" alt="Valak C2 over HTTP traffic returning ASCII data used to create malware items on the victim host." width="900" height="674" /><figcaption id="caption-attachment-108131" class="wp-caption-text">Figure 16. Valak C2 over HTTP traffic returning ASCII data used to create malware items on the victim host.</figcaption></figure> <p>In addition to HTTP GET requests, Valak uses HTTP POST requests to exfiltrate certain types of data. In Figures 17 and 18, we see an HTTP POST request starting with <span style="font-family: 'courier new', courier, monospace;">class4.aspx?internalService=</span> that sends login credentials used for Microsoft Outlook from an infected Windows host.</p> <figure id="attachment_108133" aria-describedby="caption-attachment-108133" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-108133 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2020/07/word-image-16.jpeg" alt="HTTP POST request seen on a Valak-infected Windows host with Outlook" width="900" height="479" /><figcaption id="caption-attachment-108133" class="wp-caption-text">Figure 17. Valak infection traffic filtered in Wireshark showing an HTTP POST request from the C2 traffic.</figcaption></figure> <figure id="attachment_108135" aria-describedby="caption-attachment-108135" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-108135 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2020/07/word-image-17.jpeg" alt="The screenshot shows login credentials of email account used for Microsoft Outlook on the infected Windows host. It also shows a base64 string that translates to Outlook login credentials of the Valak-infected host. " width="900" height="574" /><figcaption id="caption-attachment-108135" class="wp-caption-text">Figure 18. TCP stream of the HTTP POST request showing a base64 string containing Outlook login credentials of the infected host.</figcaption></figure> <p>We primarily see IcedID as follow-up malware from the Valak infections generated from U.S. locations. Figure 19 shows indicators of IcedID during the Valak infection traffic.</p> <figure id="attachment_108137" aria-describedby="caption-attachment-108137" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-108137 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2020/07/word-image-18.jpeg" alt="IcedID traffic during the Valak infection (malicious domains noted by the arrows in the screenshot)" width="900" height="504" /><figcaption id="caption-attachment-108137" class="wp-caption-text">Figure 19. Indicators of IcedID as the follow-up malware during this Valak infection.</figcaption></figure> <h2><strong>Recent Developments</strong></h2> <p>As Valak has developed, we have noticed increased obfuscation in the Valak configuration script. This obfuscation finds its way into other script and Windows registry updates used to keep the infection persistent. Figure 20 shows configuration script from June 23, 2020, using Valak software version 40. Figure 21 shows configuration script from June 24, 2020, using Valak software version 41. Note how variable names and some of the values were obfuscated when Valak changed from version 40 to version 41.</p> <figure id="attachment_108139" aria-describedby="caption-attachment-108139" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-108139 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2020/07/word-image-19.jpeg" alt="Valak configuration script from June 23, 2020, shows software (Valak) signature, software (Valak) version, and variable names and values in plain text. " width="900" height="575" /><figcaption id="caption-attachment-108139" class="wp-caption-text">Figure 20. Valak version 40 configuration script with variable names and values in plain text.</figcaption></figure> <figure id="attachment_108141" aria-describedby="caption-attachment-108141" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-108141 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2020/07/word-image-20.jpeg" alt="A Valak configuration script from June 24, 2020, shows software (Valak) signature, software (Valak) version, and variable names and values now using encoded strings. " width="900" height="575" /><figcaption id="caption-attachment-108141" class="wp-caption-text">Figure 21. Valak version 41 configuration script with variable names and some values using obfuscated text.</figcaption></figure> <p>Like most obfuscation, this is likely an attempt to evade detection. As the weeks and months progress, we predict further obfuscation in Valak’s configuration script and related files.</p> <h2><strong>Shathak/TA551 Distribution</strong></h2> <p>Shathak or TA551 is the name some security researchers have given to a specific distribution method that uses password-protected ZIP archives as attachments to malspam. The distribution network <a href="https://www.cybereason.com/blog/valak-more-than-meets-the-eye#Relationship-Other-Malware">may be associated with Russian cybercriminals</a>. It has used Word document templates targeting English-, Italian-, German- and Japanese-speaking recipients. Shathak/TA551 has been active at least as early as February 2019.</p> <p>Shathak/TA551 distribution has the following characteristics:</p> <ul> <li>Malspam spoofs legitimate email chains based on mailbox data retrieved from previously-infected Windows hosts. It sends copies of these email chains to senders and recipients from the original email chain.</li> <li>The spoofed email chain includes a short message as the most recent item in the chain. This item is a generic message that instructs recipients to open an attached ZIP archive using a supplied password.</li> <li>The password-protected ZIP attachments contain a Microsoft Word document with macros to install malware. See <a href="https://raw.githubusercontent.com/pan-unit42/iocs/master/Valak/2020-June-SHA256-hashes-of-Word-docs-from-Shathak-TA551-distribution.txt">Appendix A</a> for examples of these Word documents from June 2020.</li> <li>The macros usually generate a URL ending in .cab to retrieve a binary that installs malware. This binary is currently a DLL file. <a href="https://www.virustotal.com/gui/file/0f0d870fcad3e935d191e4076bfdc3812c278c3bdb6ec2233d71d9cf14a04a17/">Appendix B</a> lists examples of URLs from this campaign.</li> <li>Prior to April 2020, the most common malware caused by Word documents associated with Shathak/TA551 was Ursnif.</li> <li>Since April 2020, the most common malware distributed by these Word documents has been Valak. <a href="https://raw.githubusercontent.com/pan-unit42/iocs/master/Valak/2020-June-SHA256-hashes-of-Valak-DLL-files-from-Shathak-TA551-distribution.txt">Appendix C</a> lists a series of Valak DLL examples from June 2020.</li> <li>Since May 2020, passwords used for the ZIP attachments appear to be unique to each recipient.</li> </ul> <p>To get an idea of traffic patterns associated with Shathak/TA551, recent examples of URLs generated by the associated Word macros follow (Read: Date - URL).</p> <ul> <li><span style="font-family: 'courier new', courier, monospace;">2020-05-26 - hxxp://c1j4xptyujjpyt8[.]com/gg88wyaftcxr7gu/wo0zz.php?l=sfzs9.cab</span></li> <li><span style="font-family: 'courier new', courier, monospace;">2020-05-27 - hxxp://ft23fpcu5yabw2[.]com/alfh/xzrn.php?l=lfahe9.cab</span></li> <li><span style="font-family: 'courier new', courier, monospace;">2020-06-03 - hxxp://awh93dhkylps5ulnq-be[.]com/czwih/fxla.php?l=gap1.cab</span></li> <li><span style="font-family: 'courier new', courier, monospace;">2020-06-09 - hxxp://a4zy33hbmhxx70w9q[.]com/hdil/kzex.php?l=soub12.cab</span></li> <li><span style="font-family: 'courier new', courier, monospace;">2020-06-10 - hxxp://kzex9vp0jfw6a8up1[.]com/hdil/kzex.php?l=phin1.cab</span></li> <li><span style="font-family: 'courier new', courier, monospace;">2020-06-22 - hxxp://5u2mr[.]com/unbbmevd/d76.php?l=oev1.cab</span></li> <li><span style="font-family: 'courier new', courier, monospace;">2020-06-23 - hxxp://fepz41[.]com/unbbmevd/d76.php?l=ynetz11.cab</span></li> <li><span style="font-family: 'courier new', courier, monospace;">2020-06-24 - hxxp://mbzrrt[.]com/unbbmevd/d76.php?l=ftywl4.cab</span></li> <li><span style="font-family: 'courier new', courier, monospace;">2020-06-26 - hxxp://ofxvp[.]com/unbbmevd/d76.php?l=wozmbl9.cab</span></li> <li><span style="font-family: 'courier new', courier, monospace;">2020-07-06 - hxxp://eto9ve1[.]com/iz5/yaca.php?l=tze7.cab</span></li> </ul> <p>As noted previously, <a href="https://www.virustotal.com/gui/file/0f0d870fcad3e935d191e4076bfdc3812c278c3bdb6ec2233d71d9cf14a04a17/">Appendix B</a> provides more examples of these URLs generated by Word macros associated with Shathak/TA551.</p> <p>Figures 22-30 provide screenshots with selected examples of malspam and the extracted Word documents associated with Shathak/TA551. These images illustrate how the Shathak/TA551 distribution has evolved since February 2019.</p> <figure id="attachment_108143" aria-describedby="caption-attachment-108143" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-108143 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2020/07/word-image-21.jpeg" alt="Screenshot reads: &quot;Good Morning, Please see the attached proposal!&quot; It continues by offering a zip password and closeout. The extracted document, request 11, opens with a message attempting to trick the user into enabling macros. " width="900" height="551" /><figcaption id="caption-attachment-108143" class="wp-caption-text">Figure 22. Shathak/TA551 malspam to an English-speaking recipient from February 4, 2019.</figcaption></figure> <figure id="attachment_108145" aria-describedby="caption-attachment-108145" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-108145 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2020/07/word-image-22.jpeg" alt="Screenshot reads: &quot;Buongiorno, Vedi allegato e di confermare.&quot; It continues by offering a zip password and closeout. The extracted document, doc_02.04, opens with a message attempting to trick the user into enabling macros. " width="900" height="556" /><figcaption id="caption-attachment-108145" class="wp-caption-text">Figure 23. Shathak/TA551 malspam to an Italian-speaking recipient from April 2, 2019.</figcaption></figure> <figure id="attachment_108147" aria-describedby="caption-attachment-108147" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-108147 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2020/07/word-image-23.jpeg" alt="Screenshot reads: &quot;Good morning, Please see attached and confirm.&quot; It continues by offering a zip password and closeout. The extracted document, info_07.22, opens with a message attempting to trick the user into enabling macros. " width="900" height="555" /><figcaption id="caption-attachment-108147" class="wp-caption-text">Figure 24. Shathak/TA551 malspam to an English-speaking recipient from July 22, 2019.</figcaption></figure> <p>&nbsp;</p> <figure id="attachment_108149" aria-describedby="caption-attachment-108149" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-108149 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2020/07/word-image-24.jpeg" alt="Screenshot reads: &quot;Guten Morgen, siehe Anhang.&quot; It continues by offering a zip password and closeout. The extracted document, info_10.30, opens with a message attempting to trick the user into enabling macros. " width="900" height="554" /><figcaption id="caption-attachment-108149" class="wp-caption-text">Figure 25. Shathak/TA551 malspam to a German-speaking recipient from October 30, 2019.</figcaption></figure> <p>&nbsp;</p> <figure id="attachment_108151" aria-describedby="caption-attachment-108151" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-108151 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2020/07/word-image-25.jpeg" alt="Screenshot includes a Japanese-language greeting. It continues by offering a zip password and closeout. The extracted document, info_12_18, opens with a message attempting to trick the user into enabling macros. " width="900" height="610" /><figcaption id="caption-attachment-108151" class="wp-caption-text">Figure 26. Shathak/TA551 malspam to a Japanese-speaking recipient from December 17, 2019.</figcaption></figure> <figure id="attachment_108153" aria-describedby="caption-attachment-108153" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-108153 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2020/07/word-image-26.jpeg" alt="Screenshot reads: &quot;Guten Morgen, Siehen Sie bitte die beigefugle Datei.&quot; It continues by offering a zip password and closeout. The extracted document, information_03.26, opens with a message attempting to trick the user into enabling macros. " width="900" height="571" /><figcaption id="caption-attachment-108153" class="wp-caption-text">Figure 27. Shathak/TA551 malspam to a German-speaking recipient from March 26, 2020.</figcaption></figure> <figure id="attachment_108155" aria-describedby="caption-attachment-108155" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-108155 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2020/07/word-image-27.jpeg" alt="Screenshot reads: &quot;Please see the attached document.&quot; It continues by offering a zip password and closeout. The Zip archive includes many documents, which when extracted, open with a message attempting to trick the user into enabling macros. " width="900" height="574" /><figcaption id="caption-attachment-108155" class="wp-caption-text">Figure 28. Shathak/TA551 malspam to an English-speaking recipient from April 28, 2020.</figcaption></figure> <figure id="attachment_108157" aria-describedby="caption-attachment-108157" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-108157 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2020/07/word-image-28.jpeg" alt="Screenshot reads: &quot;Good Morning, Please see the attached document.&quot; It continues by offering a zip password and closeout. The Zip archive includes many documents, which when extracted, open with a message attempting to trick the user into enabling macros. " width="900" height="571" /><figcaption id="caption-attachment-108157" class="wp-caption-text">Figure 29. Shathak/TA551 malspam to an English-speaking recipient from May 22, 2020.</figcaption></figure> <figure id="attachment_108159" aria-describedby="caption-attachment-108159" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-108159 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2020/07/word-image-29.jpeg" alt="Figure 30. Shathak/TA551 malspam to a German-speaking recipient from May 26, 2020." width="900" height="573" /><figcaption id="caption-attachment-108159" class="wp-caption-text">Figure 30. Shathak/TA551 malspam to a German-speaking recipient from May 26, 2020.</figcaption></figure> <p>This distribution network has generally pushed Ursnif in previous years, but since late April 2020, we’ve most often seen Valak from Shathak/TA551. In some cases, we still see Ursnif from this distribution, which recently happened on June 10, 2020, and July 7, 2020.</p> <h2><strong>Conclusion</strong></h2> <p>As we enter the second half of 2020, Valak shows no signs of slowing down. We expect to see further waves of malspam from Shathak/TA551 distribution pushing Word documents with macros for Valak.</p> <p>Due to its complex infection process that relies in part on registry updates with malware code, Valak can easily infect an unprotected Windows host. With ADS used to hide follow-up malware from a Valak infection, the risk is greatly increased.</p> <p>However, security best practices like running fully patched and up-to-date versions of Microsoft Windows will hinder or prevent Valak infections. Palo Alto Networks customers are further protected from Valak by our Threat Prevention subscription for the Next-Generation Firewall. <a href="https://www.paloaltonetworks.com/cortex/autofocus">AutoFocus</a> users can search for Valak activity by using the <a href="https://autofocus.paloaltonetworks.com/#/tag/Unit42.Valak">Valak</a> tag.</p> <p>Appendix A</p> <p>Examples of SHA256 file hashes along with the associated file names for Word documents from Shathak/TA551 distribution during June 2020. Information available at: <a href="https://github.com/pan-unit42/iocs/blob/master/Valak/2020-June-SHA256-hashes-of-Word-docs-from-Shathak-TA551-distribution.txt">https://raw.githubusercontent.com/pan-unit42/iocs/master/Valak/2020-June-SHA256-hashes-of-Word-docs-from-Shathak-TA551-distribution.txt</a></p> <p>Appendix B</p> <p>Examples of URLs generated by Word documents associated with Shathak/TA551. Information available at: <a href="https://raw.githubusercontent.com/pan-unit42/iocs/master/Valak/2020-03-23-to-2020-07-07-TA551-traffic-pattern-history-since-Valak.txt">https://raw.githubusercontent.com/pan-unit42/iocs/master/Valak/2020-03-23-to-2020-07-07-TA551-traffic-pattern-history-since-Valak.txt</a></p> <p>Appendix C</p> <p>Examples of SHA256 file hashes for Valak DLL files seen from Shathak/TA551 distribution during June 2020. Information available at: <a href="https://raw.githubusercontent.com/pan-unit42/iocs/master/Valak/2020-June-SHA256-hashes-of-Valak-DLL-files-from-Shathak-TA551-distribution.txt">https://raw.githubusercontent.com/pan-unit42/iocs/master/Valak/2020-June-SHA256-hashes-of-Valak-DLL-files-from-Shathak-TA551-distribution.txt</a></p> <p>&nbsp;</p> </div> <!--<span class="post__date">Updated 7 June, 2024 at 6:38 AM PDT</span>--> <button class="l-btn back-to-top" id="backToTop" data-page-track="true" data-page-track-value="valak-evolution:back to top">Back to top</button> <div class="be__tags-wrapper"> <h3>Tags</h3><ul role="list"><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/valak/" role="link" title="Valak" data-page-track="true" data-page-track-value="valak-evolution:tags:Valak">Valak</a></li></ul> </div> <div class="be__post-nav"> <a class="prev" href="https://unit42.paloaltonetworks.com" role="link" title="Threat Research" data-page-track="true" data-page-track-value="valak-evolution:article-nav:Threat Research Center"> <span>Threat Research Center</span> </a> <a class="next" href="https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/" role="link" title="OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory" data-page-track="true" data-page-track-value="valak-evolution:article-nav:OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory"> <span>Next: OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory</span> </a> </div> </div> <div class="be__nav"> <div class="be__nav-wrapper"> <div class="be-table-of-contents" data-toc-track="valak-evolution:sidebar:table-of-contents"> <div class="be-title__wrapper"> <h3>Table of Contents</h3> </div> <ul> <li></li> </ul> </div> <div class="be-related-articles"> <h3>Related Articles</h3> <ul> <li> <a href="https://unit42.paloaltonetworks.com/ta551-shathak-icedid/" role="link" title="article - table of contents" data-page-track="true" data-page-track-value="valak-evolution:sidebar:related-articles:TA551: Email Attack Campaign Switches from Valak to IcedID"> TA551: Email Attack Campaign Switches from Valak to IcedID </a> </li> </ul> </div> </div> </div> </div> </div> <div class="pa related-threat"> <div class="l-container"> <h2>Related Resources</h2> <div class="blog-slider" id="blogSlider"> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/12_Security-Technology_Category_1920x900-786x368.jpg" class="lozad" alt="Close-up of a person wearing glasses, reflecting computer code on the lens." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/12_Security-Technology_Category_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/12_Security-Technology_Category_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/12_Security-Technology_Category_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/12_Security-Technology_Category_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/12_Security-Technology_Category_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="valak-evolution:related-resources:Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-11-22T11:00:26+00:00">November 22, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/unique-popular-techniques-lateral-movement-macos/" data-page-track="true" data-page-track-value="valak-evolution:related-resources:Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples"> <h4 class="post-title">Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/remote-code-execution/" title="Remote Code Execution" role="link" data-page-track="true" data-page-track-value="valak-evolution:related-resources:Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples:Remote Code Execution">Remote Code Execution</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/python/" title="Python" role="link" data-page-track="true" data-page-track-value="valak-evolution:related-resources:Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples:Python">Python</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/macos/" title="macOS" role="link" data-page-track="true" data-page-track-value="valak-evolution:related-resources:Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples:macOS">MacOS</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/unique-popular-techniques-lateral-movement-macos/" title="Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples" role="link" data-page-track="true" data-page-track-value="valak-evolution:related-resources:Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/04_Ransomware_Category_1920x900-786x368.jpg" class="lozad" alt="Pictorial representation of a threat like BlackSuit ransomware. An illustration of a modern workspace with a laptop displaying cybersecurity icons, surrounded by stacks of coins and a credit card, all depicted in a neon, digital art style." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/04_Ransomware_Category_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/04_Ransomware_Category_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/04_Ransomware_Category_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/04_Ransomware_Category_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/04_Ransomware_Category_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/top-cyberthreats/" role="link" data-page-track="true" data-page-track-value="valak-evolution:related-resources:Threat Assessment: Ignoble Scorpius, Distributors of BlackSuit Ransomware:High Profile Threats"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/07/top-threats.svg" alt=" category icon">High Profile Threats</span></a> <span class="post-pub-date"><time datetime="2024-11-20T11:00:53+00:00">November 20, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/threat-assessment-blacksuit-ransomware-ignoble-scorpius/" data-page-track="true" data-page-track-value="valak-evolution:related-resources:Threat Assessment: Ignoble Scorpius, Distributors of BlackSuit Ransomware"> <h4 class="post-title">Threat Assessment: Ignoble Scorpius, Distributors of BlackSuit Ransomware</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/blacksuit-ransomware/" title="BlackSuit ransomware" role="link" data-page-track="true" data-page-track-value="valak-evolution:related-resources:Threat Assessment: Ignoble Scorpius, Distributors of BlackSuit Ransomware:BlackSuit ransomware">BlackSuit ransomware</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/construction/" title="construction" role="link" data-page-track="true" data-page-track-value="valak-evolution:related-resources:Threat Assessment: Ignoble Scorpius, Distributors of BlackSuit Ransomware:construction">Construction</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/education/" title="Education" role="link" data-page-track="true" data-page-track-value="valak-evolution:related-resources:Threat Assessment: Ignoble Scorpius, Distributors of BlackSuit Ransomware:Education">Education</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/threat-assessment-blacksuit-ransomware-ignoble-scorpius/" title="Threat Assessment: Ignoble Scorpius, Distributors of BlackSuit Ransomware" role="link" data-page-track="true" data-page-track-value="valak-evolution:related-resources:Threat Assessment: Ignoble Scorpius, Distributors of BlackSuit Ransomware:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/02_Malware_Category_1920x900-786x368.jpg" class="lozad" alt="Pictorial representation of FrostyGoop malware. Close-up view of a digital screen displaying a pixelated, abstract image, possibly representing a face." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/02_Malware_Category_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/02_Malware_Category_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/02_Malware_Category_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/02_Malware_Category_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/02_Malware_Category_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="valak-evolution:related-resources:FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-11-19T11:00:15+00:00">November 19, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/frostygoop-malware-analysis/" data-page-track="true" data-page-track-value="valak-evolution:related-resources:FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications"> <h4 class="post-title">FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/bustleberm/" title="BUSTLEBERM" role="link" data-page-track="true" data-page-track-value="valak-evolution:related-resources:FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications:BUSTLEBERM">BUSTLEBERM</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/frostygoop/" title="FrostyGoop" role="link" data-page-track="true" data-page-track-value="valak-evolution:related-resources:FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications:FrostyGoop">FrostyGoop</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/go/" title="Go" role="link" data-page-track="true" data-page-track-value="valak-evolution:related-resources:FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications:Go">Go</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/frostygoop-malware-analysis/" title="FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications" role="link" data-page-track="true" data-page-track-value="valak-evolution:related-resources:FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/08_Nation-State-cyberattacks_1920x900-786x368.jpg" class="lozad" alt="Pictorial representation of global companies paying North Korean IT workers. Abstract digital world map with interconnected lines and dots, depicting global data and network connections, highlighted in blue and red colors." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/08_Nation-State-cyberattacks_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/08_Nation-State-cyberattacks_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/08_Nation-State-cyberattacks_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/08_Nation-State-cyberattacks_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/08_Nation-State-cyberattacks_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="valak-evolution:related-resources:Global Companies Are Unknowingly Paying North Koreans: Here’s How to Catch Them:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-11-13T11:00:36+00:00">November 13, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/north-korean-it-workers/" data-page-track="true" data-page-track-value="valak-evolution:related-resources:Global Companies Are Unknowingly Paying North Koreans: Here’s How to Catch Them"> <h4 class="post-title">Global Companies Are Unknowingly Paying North Koreans: Here’s How to Catch Them</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/advanced-persistent-threat/" title="Advanced Persistent Threat" role="link" data-page-track="true" data-page-track-value="valak-evolution:related-resources:Global Companies Are Unknowingly Paying North Koreans: Here’s How to Catch Them:Advanced Persistent Threat">Advanced Persistent Threat</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/dprk/" title="DPRK" role="link" data-page-track="true" data-page-track-value="valak-evolution:related-resources:Global Companies Are Unknowingly Paying North Koreans: Here’s How to Catch Them:DPRK">DPRK</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/north-korea/" title="North Korea" role="link" data-page-track="true" data-page-track-value="valak-evolution:related-resources:Global Companies Are Unknowingly Paying North Koreans: Here’s How to Catch Them:North Korea">North Korea</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/north-korean-it-workers/" title="Global Companies Are Unknowingly Paying North Koreans: Here’s How to Catch Them" role="link" data-page-track="true" data-page-track-value="valak-evolution:related-resources:Global Companies Are Unknowingly Paying North Koreans: Here’s How to Catch Them:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/11_Cybercrime_Category_1920x900-786x368.jpg" class="lozad" alt="A pictorial represntation of cybercrime like Silent Skimmer. A glowing red padlock on a wet surface with red particles floating in a misty, dark blue background." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/11_Cybercrime_Category_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/11_Cybercrime_Category_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/11_Cybercrime_Category_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/11_Cybercrime_Category_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/11_Cybercrime_Category_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-actor-groups/" role="link" data-page-track="true" data-page-track-value="valak-evolution:related-resources:Silent Skimmer Gets Loud (Again):Threat Actor Groups"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/07/threat-actor-groups.svg" alt=" category icon">Threat Actor Groups</span></a> <span class="post-pub-date"><time datetime="2024-11-07T11:00:13+00:00">November 7, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/silent-skimmer-latest-campaign/" data-page-track="true" data-page-track-value="valak-evolution:related-resources:Silent Skimmer Gets Loud (Again)"> <h4 class="post-title">Silent Skimmer Gets Loud (Again)</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/remote-code-execution/" title="Remote Code Execution" role="link" data-page-track="true" data-page-track-value="valak-evolution:related-resources:Silent Skimmer Gets Loud (Again):Remote Code Execution">Remote Code Execution</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/python/" title="Python" role="link" data-page-track="true" data-page-track-value="valak-evolution:related-resources:Silent Skimmer Gets Loud (Again):Python">Python</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/reverse-shells/" title="reverse shells" role="link" data-page-track="true" data-page-track-value="valak-evolution:related-resources:Silent Skimmer Gets Loud (Again):reverse shells">Reverse shells</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/silent-skimmer-latest-campaign/" title="Silent Skimmer Gets Loud (Again)" role="link" data-page-track="true" data-page-track-value="valak-evolution:related-resources:Silent Skimmer Gets Loud (Again):read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/02_DNS_Overview_1920x900-786x368.jpg" class="lozad" alt="Pictorial representation of detecting DNS hijacking. Digital illustration of a futuristic data center with glowing blue server racks connected by light beams, surrounded by cloud computing icons, set against a dark background." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/02_DNS_Overview_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/02_DNS_Overview_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/02_DNS_Overview_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/02_DNS_Overview_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/02_DNS_Overview_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="valak-evolution:related-resources:Automatically Detecting DNS Hijacking in Passive DNS:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-11-04T23:00:48+00:00">November 4, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/detect-dns-hijacking-passive-dns/" data-page-track="true" data-page-track-value="valak-evolution:related-resources:Automatically Detecting DNS Hijacking in Passive DNS"> <h4 class="post-title">Automatically Detecting DNS Hijacking in Passive DNS</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/domain-hijacking/" title="domain hijacking" role="link" data-page-track="true" data-page-track-value="valak-evolution:related-resources:Automatically Detecting DNS Hijacking in Passive DNS:domain hijacking">Domain hijacking</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/detect-dns-hijacking-passive-dns/" title="Automatically Detecting DNS Hijacking in Passive DNS" role="link" data-page-track="true" data-page-track-value="valak-evolution:related-resources:Automatically Detecting DNS Hijacking in Passive DNS:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/05_Malware_Category_1920x900-786x368.jpg" class="lozad" alt="Pictorial representation of a threat like the Bring Your Own Vulnerable Driver (BYOVD) technique. Image of computer code on a screen with a prominent biohazard symbol." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/05_Malware_Category_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/05_Malware_Category_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/05_Malware_Category_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/05_Malware_Category_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/05_Malware_Category_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="valak-evolution:related-resources:TA Phone Home: EDR Evasion Testing Reveals Extortion Actor&#039;s Toolkit:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-11-01T22:00:12+00:00">November 1, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/edr-bypass-extortion-attempt-thwarted/" data-page-track="true" data-page-track-value="valak-evolution:related-resources:TA Phone Home: EDR Evasion Testing Reveals Extortion Actor&#039;s Toolkit"> <h4 class="post-title">TA Phone Home: EDR Evasion Testing Reveals Extortion Actor's Toolkit</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/extortion/" title="Extortion" role="link" data-page-track="true" data-page-track-value="valak-evolution:related-resources:TA Phone Home: EDR Evasion Testing Reveals Extortion Actor&#039;s Toolkit:Extortion">Extortion</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/data-exfiltration/" title="data exfiltration" role="link" data-page-track="true" data-page-track-value="valak-evolution:related-resources:TA Phone Home: EDR Evasion Testing Reveals Extortion Actor&#039;s Toolkit:data exfiltration">Data exfiltration</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/edr-bypass-extortion-attempt-thwarted/" title="TA Phone Home: EDR Evasion Testing Reveals Extortion Actor&#039;s Toolkit" role="link" data-page-track="true" data-page-track-value="valak-evolution:related-resources:TA Phone Home: EDR Evasion Testing Reveals Extortion Actor&#039;s Toolkit:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/10/03_Nation-State-cyberattacks_1920x900-786x368.jpg" class="lozad" alt="Pictorial representation of a campaign like Contagious Interview. Digital graphic of a glowing globe with network connections and data streams, symbolizing global connectivity and technology advancements." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/10/03_Nation-State-cyberattacks_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/10/03_Nation-State-cyberattacks_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/10/03_Nation-State-cyberattacks_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/10/03_Nation-State-cyberattacks_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/10/03_Nation-State-cyberattacks_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="valak-evolution:related-resources:Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-10-09T10:00:54+00:00">October 9, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters/" data-page-track="true" data-page-track-value="valak-evolution:related-resources:Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware"> <h4 class="post-title">Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/north-korea/" title="North Korea" role="link" data-page-track="true" data-page-track-value="valak-evolution:related-resources:Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware:North Korea">North Korea</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/social-engineering/" title="social engineering" role="link" data-page-track="true" data-page-track-value="valak-evolution:related-resources:Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware:social engineering">Social engineering</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/python/" title="Python" role="link" data-page-track="true" data-page-track-value="valak-evolution:related-resources:Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware:Python">Python</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters/" title="Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware" role="link" data-page-track="true" data-page-track-value="valak-evolution:related-resources:Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" data-card-link="https://unit42.paloaltonetworks.com/machine-learning-new-swiss-army-suite-tool/" data-video-cta-tracking="valak-evolution:related-resources:Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning:card:video-modal:Read the article" data-video-title="Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning"> <div class="card-media has-video" data-video="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/01_Tutorial_Category_1505x922.jpg"> <figure> <img width="718" height="440" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/01_Tutorial_Category_1505x922-718x440.jpg" class="lozad" alt="A pictorial representation of machine learning detecting vulnerability scanning. A Black man using a tablet with a background of illuminated city buildings at night." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/01_Tutorial_Category_1505x922-718x440.jpg 718w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/01_Tutorial_Category_1505x922-1143x700.jpg 1143w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/01_Tutorial_Category_1505x922-768x470.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/01_Tutorial_Category_1505x922.jpg 1505w" sizes="(max-width: 718px) 100vw, 718px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="valak-evolution:related-resources:Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-10-01T10:00:05+00:00">October 1, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/machine-learning-new-swiss-army-suite-tool/" data-page-track="true" data-page-track-value="valak-evolution:related-resources:Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning"> <h4 class="post-title">Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/machine-learning/" title="Machine Learning" role="link" data-page-track="true" data-page-track-value="valak-evolution:related-resources:Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning:Machine Learning">Machine Learning</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/machine-learning-new-swiss-army-suite-tool/" title="Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning" role="link" data-page-track="true" data-page-track-value="valak-evolution:related-resources:Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/06_Malware_Category_1920x900-786x368.jpg" class="lozad" alt="Pictorial representation of keylogger malware like KLogEXE and FPSpy. Person working on a laptop with lines of code displayed on the screen, with a blurred effect indicating motion or activity, surrounded by a vivid blue and red lighting." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/06_Malware_Category_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/06_Malware_Category_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/06_Malware_Category_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/06_Malware_Category_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/06_Malware_Category_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-actor-groups/" role="link" data-page-track="true" data-page-track-value="valak-evolution:related-resources:Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy:Threat Actor Groups"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/07/threat-actor-groups.svg" alt=" category icon">Threat Actor Groups</span></a> <span class="post-pub-date"><time datetime="2024-09-26T10:00:51+00:00">September 26, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/kimsuky-new-keylogger-backdoor-variant/" data-page-track="true" data-page-track-value="valak-evolution:related-resources:Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy"> <h4 class="post-title">Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/mitre/" title="MITRE" role="link" data-page-track="true" data-page-track-value="valak-evolution:related-resources:Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy:MITRE">MITRE</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/keylogger/" title="Keylogger" role="link" data-page-track="true" data-page-track-value="valak-evolution:related-resources:Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy:Keylogger">Keylogger</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/north-korea/" title="North Korea" role="link" data-page-track="true" data-page-track-value="valak-evolution:related-resources:Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy:North Korea">North Korea</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/kimsuky-new-keylogger-backdoor-variant/" title="Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy" role="link" data-page-track="true" data-page-track-value="valak-evolution:related-resources:Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> </div> </div> <div class="l-container bs__controls"> <div class="bs__progress"><span></span></div> <div class="bs__navigation"> <ul> <li> <button id="prevButton"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/slider-arrow-left.svg" alt="Slider arrow"></button> </li> <li> <button id="nextButton"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/slider-arrow-left.svg" alt="Slider arrow"></button> </li> </ul> </div> </div> </div> <div class="be-enlarge-modal" id="enlargedModal"> <div class="be-enlarge-modal__wrapper"> <figure> <button class="close__modal" id="closeModal"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/close-modal.svg" alt="Close button"></button> <img class="be__enlarged-image" id="enlargedImage" src="" alt="Enlarged Image"> <figcaption> </figcaption> </figure> </div> </div> </div> </section> </main> <!-- Start: Footer subscription form --> <div class="newsletter"> <div class="l-container"> <div class="newsletter__wrapper"> <div class="image__wrapper"> <picture> <source class="lozad" media="(max-width:400px)" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/newsletter-Image-mobile.webp"> <source class="lozad" media="(max-width:949px)" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/newsletter-Image-tab.webp"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/Revitalized_newsletter-Image-desktop-copy-1.webp" alt="Newsletter"> </picture> </div> <div class="content__wrapper"> <span class="pre-title"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/palo-alto-logo-small.svg" alt="UNIT 42 Small Logo"> Get updates from Unit 42 </span> <h2>Peace of mind comes from staying ahead of threats. Contact us today.</h2> <form action="https://www.paloaltonetworks.com/apps/pan/public/formsubmithandler.submitform.json" method="post" novalidate class="subscribe-form" name="Unit42_Subscribe" id="unit42footerSubscription_form"> <input type="hidden" name="emailFormMask" value=""> <input type="hidden" value="1086" name="formid"> <input type="hidden" value="531-OCS-018" name="munchkinId"> <input type="hidden" value="2141" name="lpId"> <input type="hidden" value="1203" name="programId"> <input type="hidden" value="1086" name="formVid"> <input type="hidden" name="mkto_optinunit42" value="true"> <input type="hidden" name="mkto_opt-in" value="true"> <div class="form-group"> <label for="newsletter-email" id="newsletter-email-label">Your Email</label> <input type="emal" placeholder="Your Email" name="Email" class="subscribe-field" id="newsletter-email" aria-labelledby="newsletter-email-label"> <p class="error-mail mb-15 text-danger" style="color: #dc3545"></p> <p>Subscribe for email updates to all Unit 42 threat research.<br />By submitting this form, you agree to our <a title="Terms of Use" href="https://www.paloaltonetworks.com/legal-notices/terms-of-use" data-page-track="true" data-page-track-value="Get updates from Unit 42:Terms of Use">Terms of Use</a> and acknowledge our <a title="Privacy Statement" href="https://www.paloaltonetworks.com/legal-notices/privacy" data-page-track="true" data-page-track-value="Get updates from Unit 42:Privacy Statement">Privacy Statement.</a></p> <div class="g-recaptcha" data-expired-callback="captchaExpires" data-callback="captchaComplete" data-sitekey="6Lc5EhgTAAAAAJa-DzE7EeWABasWg4LKv-R3ao6o"></div> <p class="error-recaptcha d-none mt-15 text-danger" style="color: #dc3545">Invalid captcha!</p> <button class="l-btn is-disabled" data-page-track="true" data-page-track-value="footer:Get updates from Unit 42:Subscribe" id="unit42footerSubscription_form_button"> Subscribe <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/right-arrow.svg" alt="Right Arrow" class="arrow"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-loader.svg" alt="loader" class="loader"> </button> <div class="form-success-message"></div> </div> </form> </div> </div> </div> </div> <script> (function($) { // Migrated from the unit42-v5 + Modifications var subscribeSuccess = false; var email = document.getElementById('newsletter-email'); var subscription_form = document.getElementById('unit42footerSubscription_form'); var subscription_form_button = document.getElementById('unit42footerSubscription_form_button'); window.captchaComplete = function() { subscribeSuccess = true; if ($(mail).val() != '' && isEmail($(mail).val())) { $(subscription_form_button).removeClass('is-disabled'); } setTimeout(function() { $(email).focus(); $('.g-recaptcha iframe').attr('tabindex', '-1'); }, 100) } window.captchaExpires = function() { subscribeSuccess = false; $(subscription_form_button).addClass('is-disabled', true); } $(subscription_form).submit(function(e) { e.preventDefault(); e.stopImmediatePropagation(); updateEmailMask(); var success = true; var form = $(this); var mail = form.find('input[name="Email"]'); if (mail.val() === '') { mail.addClass('has-error'); showError(1); success = false; } else if (!isEmail(mail.val())){ showError(2); success = false; } else { mail.removeClass('has-error'); $('.error-mail').addClass('d-none'); } if (!subscribeSuccess) { $('.error-recaptcha').removeClass('d-none'); } else { $('.error-recaptcha').addClass('d-none'); } if (success && subscribeSuccess) { $.ajax({ type: 'POST', url: form.attr('action'), data: form.serialize(), beforeSend: function() { form.find('button').addClass('is-loading'); }, success: function(msg) { form.find('.form-success-message').html('<p class="success-message">You have been successfully subscribed</p>'); form.find('button').removeClass('is-loading'); $(email).val(''); clearError(); }, error: function(jqXHR, textStatus, errorThrown) { $(subscription_form_button).addClass('is-disabled', true); form.find('button').removeClass('is-loading'); } }); } return false; }); function showError(error_type){ if(error_type == 1) { $('.error-mail').text("Please enter the email address.").addClass('error-show'); $(subscription_form_button).addClass('is-disabled'); } else if(error_type == 2){ $('.error-mail').text("Please provide a valid e-mail address.").addClass('error-show'); $(subscription_form_button).addClass('is-disabled'); } $(subscription_form_button).removeClass('is-loading'); } function clearError(){ $('.error-mail').text("").removeClass('error-show');; $(subscription_form_button).removeClass('is-loading'); $(subscription_form_button).removeClass('is-disabled'); } $(email).on('input', function (event) { var email = $(this).val(); if (isEmail(email) ) { clearError(); } else if(email == ""){ clearError(); } else{ showError(2); } }); function isEmail(email) { var re = /^(([^<>()\[\]\\.,;:\s@"]+(\.[^<>()\[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/; return re.test(String(email).toLowerCase()); } var captcha_loaded = false; if(!captcha_loaded){ // recaptcha on foucs call $(document).on('change paste keyup', '#newsletter-email', function () { if($('.g-recaptcha').hasClass('d-none')){ $('.g-recaptcha').removeClass('d-none'); } if(!captcha_loaded ){ captcha_loaded = true; // trigger loading api.js (recaptcha.js) script var head = document.getElementsByTagName('head')[0]; var script = document.createElement('script'); script.type = 'text/javascript'; script.src = 'https://www.google.com/recaptcha/api.js?hl=en_US'; head.appendChild(script); } }); } function updateEmailMask() { var email = $("#unit42footerSubscription_form input[name='Email']").val(); if (email && email.trim() != '') { var maskedEmail = maskEmailAddress(email); $("#unit42footerSubscription_form input[name='emailFormMask']").val(maskedEmail); } } function maskEmailAddress (emailAddress) { function mask(str) { var strLen = str.length; if (strLen > 4) { return str.substr(0, 1) + str.substr(1, strLen - 1).replace(/\w/g, '*') + str.substr(-1,1); } return str.replace(/\w/g, '*'); } return emailAddress.replace(/([\w.]+)@([\w.]+)(\.[\w.]+)/g, function (m, p1, p2, p3) { return mask(p1) + '@' + mask(p2) + p3; }); return emailAddress; } }(jQuery)); //# sourceMappingURL=main.js.map </script> <!-- End: Footer subscription form --> <footer class="footer"> <div class="footer-menu"> <div class="l-container"> <div class="footer-menu__wrapper"> <div class="footer-menu-nav__wrapper"> <h3 class="footer-menu-nav__title">Products and services</h3> <div class="nav-column__wrapper"> <div class="nav-column"> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/network-security" role="link" title="Network Security Platform" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform">Network Security Platform</a> </li> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/network-security/security-subscriptions" role="link" title="CLOUD DELIVERED SECURITY SERVICES" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES">CLOUD DELIVERED SECURITY SERVICES</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/network-security/advanced-threat-prevention" target=_blank role="link" title="Advanced Threat Prevention" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention">Advanced Threat Prevention</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/network-security/advanced-dns-security" role="link" title="DNS Security" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security">DNS Security</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/network-security/enterprise-data-loss-prevention" role="link" title="Data Loss Prevention" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention">Data Loss Prevention</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/network-security/enterprise-iot-security" role="link" title="IoT Security" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security">IoT Security</a> </li> </ul> </nav> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/network-security/next-generation-firewall" role="link" title="Next-Generation Firewalls" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls">Next-Generation Firewalls</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/network-security/next-generation-firewall-hardware" role="link" title="Hardware Firewalls" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls">Hardware Firewalls</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/network-security/strata-cloud-manager" role="link" title="Strata Cloud Manager" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager">Strata Cloud Manager</a> </li> </ul> </nav> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/sase" role="link" title="SECURE ACCESS SERVICE EDGE" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager:SECURE ACCESS SERVICE EDGE">SECURE ACCESS SERVICE EDGE</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/sase/access" role="link" title="Prisma Access" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager:SECURE ACCESS SERVICE EDGE:Prisma Access">Prisma Access</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/sase/sd-wan" role="link" title="Prisma SD-WAN" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager:SECURE ACCESS SERVICE EDGE:Prisma Access:Prisma SD-WAN">Prisma SD-WAN</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/sase/adem" role="link" title="Autonomous Digital Experience Management" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager:SECURE ACCESS SERVICE EDGE:Prisma Access:Prisma SD-WAN:Autonomous Digital Experience Management">Autonomous Digital Experience Management</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/sase/next-gen-casb" role="link" title="Cloud Access Security Broker" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager:SECURE ACCESS SERVICE EDGE:Prisma Access:Prisma SD-WAN:Autonomous Digital Experience Management:Cloud Access Security Broker">Cloud Access Security Broker</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/sase/ztna" role="link" title="Zero Trust Network Access" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager:SECURE ACCESS SERVICE EDGE:Prisma Access:Prisma SD-WAN:Autonomous Digital Experience Management:Cloud Access Security Broker:Zero Trust Network Access">Zero Trust Network Access</a> </li> </ul> </nav> </div> <div class="nav-column"> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/prisma/whyprisma" role="link" title="Code to Cloud Platform" data-page-track="true" data-page-track-value="footer:Products and services:Code to Cloud Platform">Code to Cloud Platform</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/prisma/cloud" role="link" title="Prisma Cloud" data-page-track="true" data-page-track-value="footer:Products and services:Code to Cloud Platform:Prisma Cloud">Prisma Cloud</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/content/pan/en_US/prisma/cloud/cloud-native-application-protection-platform" role="link" title="Cloud-Native Application Protection Platform" data-page-track="true" data-page-track-value="footer:Products and services:Code to Cloud Platform:Prisma Cloud:Cloud-Native Application Protection Platform">Cloud-Native Application Protection Platform</a> </li> </ul> </nav> </div> <div class="nav-column"> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/cortex" target=_blank role="link" title="AI-Driven Security Operations Platform" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform">AI-Driven Security Operations Platform</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/cortex-xdr" role="link" title="Cortex XDR" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR">Cortex XDR</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/cortex-xsoar" role="link" title="Cortex XSOAR" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR:Cortex XSOAR">Cortex XSOAR</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/cortex-xpanse" role="link" title="Cortex Xpanse" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR:Cortex XSOAR:Cortex Xpanse">Cortex Xpanse</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/cortex-xsiam" role="link" title="Cortex XSIAM" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR:Cortex XSOAR:Cortex Xpanse:Cortex XSIAM">Cortex XSIAM</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/cortex-xpanse/attack-surface-management" role="link" title="External Attack Surface Protection" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR:Cortex XSOAR:Cortex Xpanse:Cortex XSIAM:External Attack Surface Protection">External Attack Surface Protection</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/security-operations-automation" role="link" title="Security Automation" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR:Cortex XSOAR:Cortex Xpanse:Cortex XSIAM:External Attack Surface Protection:Security Automation">Security Automation</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/detection-and-response" role="link" title="Threat Prevention, Detection &amp; Response" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR:Cortex XSOAR:Cortex Xpanse:Cortex XSIAM:External Attack Surface Protection:Security Automation:Threat Prevention, Detection &amp; Response">Threat Prevention, Detection &amp; Response</a> </li> </ul> </nav> </div> <div class="nav-column"> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/unit42" role="link" title="Threat Intel and Incident Response Services" data-page-track="true" data-page-track-value="footer:Products and services:Threat Intel and Incident Response Services">Threat Intel and Incident Response Services</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/unit42/assess" role="link" title="Proactive Assessments" data-page-track="true" data-page-track-value="footer:Products and services:Threat Intel and Incident Response Services:Proactive Assessments">Proactive Assessments</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/unit42/respond" role="link" title="Incident Response" data-page-track="true" data-page-track-value="footer:Products and services:Threat Intel and Incident Response Services:Proactive Assessments:Incident Response">Incident Response</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/unit42/transform" role="link" title="Transform Your Security Strategy" data-page-track="true" data-page-track-value="footer:Products and services:Threat Intel and Incident Response Services:Proactive Assessments:Incident Response:Transform Your Security Strategy">Transform Your Security Strategy</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/unit42/threat-intelligence-partners" role="link" title="Discover Threat Intelligence" data-page-track="true" data-page-track-value="footer:Products and services:Threat Intel and Incident Response Services:Proactive Assessments:Incident Response:Transform Your Security Strategy:Discover Threat Intelligence">Discover Threat Intelligence</a> </li> </ul> </nav> </div> </div> </div> <div class="footer-menu-nav__wrapper"> <h3 class="footer-menu-nav__title">Company</h3> <div class="nav-column__wrapper"> <div class="nav-column"> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/about-us" role="link" title="About Us" data-page-track="true" data-page-track-value="footer:Company:About Us">About Us</a> </li> <li class="footer-menu-nav__item "> <a href="https://jobs.paloaltonetworks.com/en/" role="link" title="Careers" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers">Careers</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/company/contact-sales" role="link" title="Contact Us" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers:Contact Us">Contact Us</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/about-us/corporate-responsibility" role="link" title="Corporate Responsibility" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers:Contact Us:Corporate Responsibility">Corporate Responsibility</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/customers" role="link" title="Customers" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers:Contact Us:Corporate Responsibility:Customers">Customers</a> </li> <li class="footer-menu-nav__item "> <a href="https://investors.paloaltonetworks.com/" target=_blank role="link" title="Investor Relations" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers:Contact Us:Corporate Responsibility:Customers:Investor Relations">Investor Relations</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/about-us/locations" role="link" title="Location" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers:Contact Us:Corporate Responsibility:Customers:Investor Relations:Location">Location</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/company/newsroom" role="link" title="Newsroom" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers:Contact Us:Corporate Responsibility:Customers:Investor Relations:Location:Newsroom">Newsroom</a> </li> </ul> </nav> </div> </div> </div> <div class="footer-menu-nav__wrapper"> <h3 class="footer-menu-nav__title">Popular links</h3> <div class="nav-column__wrapper"> <div class="nav-column"> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/blog/" role="link" title="Blog" data-page-track="true" data-page-track-value="footer:Popular links:Blog">Blog</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/communities" role="link" title="Communities" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities">Communities</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/resources" role="link" title="Content Library" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library">Content Library</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cyberpedia" role="link" title="Cyberpedia" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia">Cyberpedia</a> </li> <li class="footer-menu-nav__item "> <a href="https://events.paloaltonetworks.com/" role="link" title="Event Center" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center">Event Center</a> </li> <li class="footer-menu-nav__item "> <a href="https://start.paloaltonetworks.com/preference-center" role="link" title="Manage Email Preferences" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences">Manage Email Preferences</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/products/products-a-z" role="link" title="Products A-Z" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z">Products A-Z</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/legal-notices/trust-center/tech-certs" role="link" title="Product Certifications" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z:Product Certifications">Product Certifications</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/security-disclosure" role="link" title="Report a Vulnerability" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z:Product Certifications:Report a Vulnerability">Report a Vulnerability</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/sitemap" role="link" title="Sitemap" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z:Product Certifications:Report a Vulnerability:Sitemap">Sitemap</a> </li> <li class="footer-menu-nav__item "> <a href="https://docs.paloaltonetworks.com/" role="link" title="Tech Docs" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z:Product Certifications:Report a Vulnerability:Sitemap:Tech Docs">Tech Docs</a> </li> <li class="footer-menu-nav__item "> <a href="https://unit42.paloaltonetworks.com/" role="link" title="Unit 42" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z:Product Certifications:Report a Vulnerability:Sitemap:Tech Docs:Unit 42">Unit 42</a> </li> <li class="footer-menu-nav__item "> <a href="https://panwedd.exterro.net/portal/dsar.htm?target=panwedd" target=_blank role="link" title="Do Not Sell or Share My Personal Information" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z:Product Certifications:Report a Vulnerability:Sitemap:Tech Docs:Unit 42:Do Not Sell or Share My Personal Information">Do Not Sell or Share My Personal Information</a> </li> </ul> </nav> </div> </div> </div> </div> </div> </div> <div class="footer-bottom"> <div class="l-container"> <div class="footer-logo"> <a href="https://www.paloaltonetworks.com/" role="link" title="Footer Nav" data-page-track="true" data-page-track-value="footer:logo:Palo Alto Networks"> <img width="245" height="46" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/palo-alto-footer-logo.svg" class="attachment-medium size-medium" alt="" decoding="async" loading="lazy" /> </a> </div> <div class="footer-bottom__wrapper"> <div class="footer-bottom-nav"> <nav> <ul class="footer-menu-nav__list"> <li> <a href="https://www.paloaltonetworks.com/legal-notices/privacy" role="link" title="Privacy" data-page-track="true" data-page-track-value="footer:bottom-menu:Privacy">Privacy</a> </li> <li> <a href="https://www.paloaltonetworks.com/legal-notices/trust-center" role="link" title="Trust Center" data-page-track="true" data-page-track-value="footer:bottom-menu:Trust Center">Trust Center</a> </li> <li> <a href="https://www.paloaltonetworks.com/legal-notices/terms-of-use" role="link" title="Terms of Use" data-page-track="true" data-page-track-value="footer:bottom-menu:Terms of Use">Terms of Use</a> </li> <li> <a href="https://www.paloaltonetworks.com/legal" role="link" title="Documents" data-page-track="true" data-page-track-value="footer:bottom-menu:Documents">Documents</a> </li> </ul> </nav> <br/><span class="copyright">Copyright © 2024 Palo Alto Networks. All Rights Reserved</span> </div> <div class="footer-bottom-social"> <ul> <li> <a href="https://www.youtube.com/user/paloaltonetworks" target="_blank" role="link" title="YouTube" data-page-track="true" data-page-track-value="footer:social:Youtube"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/youtube-black.svg" alt="YouTube"> </a> </li> <li> <a href="https://twitter.com/Unit42_Intel" target="_blank" role="link" title="X" data-page-track="true" data-page-track-value="footer:social::Twitter"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/x-icon-black.svg" alt="Twitter"> </a> </li> <li> <a href="https://www.facebook.com/PaloAltoNetworks/" target="_blank" role="link" title="Facebook" data-page-track="true" data-page-track-value="footer:social:Facebook"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/Facebook_Icon.svg" alt="Facebook"> </a> </li> <li> <a href="https://www.linkedin.com/company/palo-alto-networks" target="_blank" role="link" title="LinkedIn" data-page-track="true" data-page-track-value="footer:social:LinkedIn"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/LinkedIn_Icon.svg" alt="LinkedIn"> </a> </li> <li> <a href="https://unit42.paloaltonetworks.com/unit-42-threat-vector-podcast/" role="link" title="Podcast" data-page-track="true" data-page-track-value="footer:social:Podcast"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/Podcast.svg" alt="Podcast"> </a> </li> </ul> <div class="pa language-dropdown"> <div class="language-dropdown__wrapper"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/globe-icon.svg" alt="Globe icon"> <span id="selectedLanguage">EN</span> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/down-arrow.svg" alt="Down arrow"><ul><li class="title">Select your language</li> <li class="selected" data-value="en"> <a data-page-track="true" data-page-track-value="footer:language-selector:en" href="https://unit42.paloaltonetworks.com/valak-evolution/">USA (ENGLISH)</a> </li> <li class="non-active" data-value="en"> <a data-page-track="true" data-page-track-value="footer:language-selector:ja" href="https://unit42.paloaltonetworks.jp/valak-evolution/">JAPAN (日本語)</a> </li></ul> </div> </div> </div> </div> </footer> <div class="dd-overlay"> </div> <!-- Start: video modal --> <div class="modal video__modal" id="videoModal" tabindex="-1"> <div class="modal__video-wrapper"> <button class="modal__play-btn is-minimized is-paused" id="playPauseBtn"> <img class="play" src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/player-play-icon.svg" alt="Play"> <img class="pause" src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/player-pause-icon1.svg" alt="Pause"> </button> <button class="modal__minimize-btn is-minimized"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-minimize.svg" alt="Minimize"> </button> <button class="modal__close"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/close-modal.svg" alt="Close button"> </button> <video class="modal__video" id="customVideo"> <source src="" type="video/mp4">Your browser does not support the video tag. </video> <div class="modal__post-details" tabindex="-1"> <h3>Default Heading</h3> <a class="l-btn" href="#" title="Right Arrow Icon" role="link" data-page-track="true" data-page-track-value="overview:explore reports:View all reports">Read the article <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/right-arrow.svg" alt="Right Arrow"> </a> </div> <div class="modal__video-controls"> <div class="modal__video-seekbar input__wrapper"><span></span> <label class="is-hidden" for="modalSeekBar">Seekbar</label> <input class="custom-range" id="modalSeekBar" type="range" min="0" max="100" value="1"> <p class="modal__remaining-time"></p> </div> <button class="modal__play-btn is-paused" id="playPauseBtn"> <img class="play" src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/player-play-icon.svg" alt="Play"> <img class="pause" src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/player-pause-icon1.svg" alt="Pause"> </button> <div class="modal__volume-controls"> <div class="modal__volume__wrapper"> <button tabindex="0"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-volume.svg" alt="Volume"> </button> <div class="modal__volume-seekbar"><span></span> <label class="is-hidden" for="volumeBar">Volume</label> <input class="volume__bar" id="volumeBar" type="range" min="0" max="1" step="0.1" value="0.7"> </div> </div> <button class="modal__minimize-btn" id="minimizeBtn"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-minimize.svg" alt="Minimize"> </button> </div> </div> </div> </div><!-- End: video modal --> <script type="text/javascript"> var isProcessing = false; function alter_ul_post_values(obj,post_id,ul_type){ if (isProcessing) return; isProcessing = true; var like_nonce = jQuery('#_wpnonce').val(); jQuery(obj).find("span").html(".."); jQuery.ajax({ type: "POST", url: "https://unit42.paloaltonetworks.com/wp-content/plugins/like-dislike-counter-for-posts-pages-and-comments/ajax_counter.php", data: "post_id="+post_id+"&up_type="+ul_type+"&ul_nonce="+like_nonce, success: function(msg){ jQuery(obj).find("span").html(msg); isProcessing = false; jQuery(obj).find('svg').children('path').attr('stroke','#0050FF'); jQuery(obj).removeClass('idc_ul_cont_not_liked idc_ul_cont_not_liked_inner'); } }); } </script> <link rel='stylesheet' id='wpdevart_lightbox_front_end_css-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/lightbox-popup/includes/style/wpdevart_lightbox_front.css?ver=6.6.2' media='all' /> <script src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/js/script.js?ver=1.0.0" id="unit42-v6-navigation-js"></script> <!-- Start: Scripts Migrated From Unit42-v5 --> <script type="text/javascript"> const observer_lozad = lozad('.lozad, .lozad-background'); // lazy loads elements with default selector as '.lozad' observer_lozad.observe(); window.PAN_Clean_Util = { isIE: false }; (function () { // INP Util Fix function yieldToMain(ms) { return new Promise(resolve => setTimeout(resolve, ms)); } window.PAN_Clean_Util.yieldToMain = yieldToMain })(); if(referer == "Prisma" || referer == "Cortex" || referer == "Sase" || referer == "Unit" || referer == "Ngfw"){ var Coveo_organizationId = "paloaltonetworksintranet"; var techDocsPagePath = "https://docs.paloaltonetworks.com/search.html#hd=All%20Prisma%20Cloud%20Documentation&hq=%40panproductcategory%3D%3D(%22Prisma%20Cloud%22)&sort=relevancy&layout=card&numberOfResults=25"; var languageFromPath="en_US"; window.Granite = window.Granite || {}; Granite.I18n = (function() { var self = {}; self.setLocale = function(locale) { }; self.get = function(text, snippets, note) { var out = ""; if(text){ if(text ==="coveo.clear"){ out = "Clear"; }else if(text ==="coveo.noresultsfound"){ out = "No results found for this search term."; } } return out; }; return self }()); } var main_site_critical_top = maindomain_lang+'/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTop.min.js'; var main_site_defered = maindomain_lang+'/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/defered.min.js'; var main_site_criticalTopBase = maindomain_lang+'/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTopBase.min.js'; var main_site_criticalTopProductNav = maindomain_lang+'/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTopProductNav.min.js'; window.PAN_MainNavAsyncUrl = maindomain_lang+"/_jcr_content/globals/cleanHeaderPrisma.prismaRenderer.html"; function loadScript(url, defer){ var script1 = document.createElement('script'); script1.setAttribute('type', 'text/javascript'); script1.setAttribute('src',url); if(defer == true){ script1.setAttribute('defer','defer'); } document.head.appendChild(script1); } function loadScript1(url, callback){ var script = document.createElement("script") script.type = "text/javascript"; if (script.readyState){ //IE script.onreadystatechange = function(){ if (script.readyState == "loaded" || script.readyState == "complete"){ script.onreadystatechange = null; callback(); } }; } else { //Others script.onload = function(){ callback(); }; } script.src = url; document.getElementsByTagName("head")[0].appendChild(script); } if(referer == "Prisma" || referer == "Cortex" || referer == "Sase" || referer == "Unit" || referer == "Ngfw"){ if(referer == "Unit"){ setTimeout(function(){ loadScript(main_site_criticalTopBase, false); loadScript1(main_site_criticalTopProductNav, function(){ window.PAN_initializeProduct2021Nav(); }); loadScript(main_site_defered, false); }, 3000); } else{ setTimeout(function(){ loadScript1(main_site_critical_top, function(){ window.PAN_initializeProduct2021Nav(); }); loadScript(main_site_defered, false); }, 3000); } } $(document).ready(function () { setTimeout(function(){ $('.article-banner .ab__options ul li a').each(function(){ $(this).attr('target', "_blank"); }); }, 4000); }); </script> <!-- End: Scripts Migrated From Unit42-v5 --> </body> </html>