Valak Malware and the Connection to Gozi Loader ConfCrew


  • Valak uses multi-stage, script-based malware utilized in campaigns reminiscent of Gozi ConfCrew.
  • The overlapping campaign structure has led to some sandbox reports misidentifying Valak as Gozi.
  • Emails are harvested and used in ‘Reply Chain Attacks’ to further spread the malware with a purpose-built plugin, ‘exchgrabber’.
  • A newly-discovered plugin called ‘clientgrabber’ is also utilized for stealing email credentials from the registry.

Read more…