Since the end of last year we notice a wave of phishing mails containing the downloader Valyria. Valyria is an office document with a VBA macro which is reloads several kinds of spyware.


Initially, phishing attacks animate the victim to activate the macro function of Microsoft Office. For this, the invaders use the methods represented in the following screenshots.



As soon as the macro is excecuted, it reloads a visual basic, delphi or c# spyware, which then begins to collect information within the system, sending it to their command-and-control-server.


While the Valyria downloader is relatively easy to identify, the precise identification of reloaded malware proofs to be significantly harder. That is because the tools the cyber criminals have used are highly configurable. Signatures detected various versions of Spyware Agent Tesla, LokiBot and Kryptik, as well as Androm Backdoors. The behavioural analysis of the reloaded malware shows that they all have one thing in common: they diligently collect information such as passwords, browser data, credentials and connectivity data of FTP and email clients, instant messengers, general keyboard activities as well as screenshots in their victim’s systems.


The behavioural analysis of the ATP sandbox reliably recognizes Valyria and the behaviour of reloaded spyware since the beginning of the campaign.  Due to the amount of emails of that kind, we developed additional filter rules in order to protect our costumers from all different variants of this malware.


Here is an excerpt from the ATP report from one of the spyware samples:


Hornetsecurity ATP Report