From labs.sentinelone.com
- Valak uses multi-stage, script-based malware utilized in campaigns reminiscent of Gozi ConfCrew.
- The overlapping campaign structure has led to some sandbox reports misidentifying Valak as Gozi.
- Emails are harvested and used in ‘Reply Chain Attacks’ to further spread the malware with a purpose-built plugin, ‘exchgrabber’.
- A newly-discovered plugin called ‘clientgrabber’ is also utilized for stealing email credentials from the registry.