Threat Spotlight: Modular Malware
Defend your business against evolving and sophisticated modular malware attacks.
Barracuda researchers have seen a spike in the use of modular malware since the beginning of 2019. A recent analysis of email attacks targeting Barracuda customers identified more than 150,000 unique malicious files in the first five months of the year.
Here’s a closer look at modular malware and solutions to help detect and block attacks.
Modular Malware — Cybercriminals use email to deliver modular malicious software, also known as modular malware. An ever-increasing trend, modular malware provides an architecture that is more robust, evasive and dangerous than typical document-based or web-based malware. Modular malware includes—and can selectively launch—different payloads and functionality, depending on the target and the goal of the attack.
Most malware is distributed as a document attachment that is sent via spam to widely-circulated email lists. These email lists are sold, traded, aggregated, and revised as they move through the dark web.
Once an infected document is opened, either the malware is automatically installed or a heavily obfuscated macro/script is used to download and install it from an external source. Occasionally, a link or other clickable item is used, but that approach is much more common in phishing attacks than malware attacks.
With the rise of botnets executing commands provided by cybercriminals and malware written for wide-spread distribution, modularity has become the new norm. Malware authors are increasingly organized and continue to adopt and implement software-industry practices, including quality assurance and testing, to improve the success of attacks. In response to the demand to meet multiple needs with one widely-distributed malware file, modular malware has evolved to become more feature-rich and flexible.
Typically, modular malware involves a very basic initial payload. Once a foothold has been established on the system, the payload connects to a remote C2 (command and control) server for additional payloads. This enables information about the system to be sent and processed by the C2 server and for additional payloads to be chosen server-side based on that information or potentially not chosen if an analysis environment is detected. This approach has been used in banking trojans, including Emotet, TrickBot, and CoreBot, as well as in infostealers, including LokiBot and Pony.
Detecting and Blocking Modular Malware
The rapidly evolving threat environment requires a multi-layered protection strategy—one that closes the technical and human gaps—for every organization to maximize its email security performance and minimize the risk of falling victim to sophisticated attacks like modular malware.
Advanced inbound and outbound security techniques should be deployed, including malware detection, spam filters, firewalls, and sandboxing.
For emails with malicious documents attached, both static and dynamic analysis can pick up on indicators that the document is trying to download and run an executable, which no document should ever be doing. The URL for the executable can often be flagged using heuristics or threat intelligence systems. Obfuscation detected by static analysis can also indicate whether a document may be suspicious.
While many malicious emails appear convincing, spam filters and related security software can pick up subtle clues and help block potentially-threatening messages and attachments from reaching email inboxes. If a user opens a malicious attachment or clicks a link to a drive-by download, an advanced network firewall capable of malware analysis provides a chance to stop the attack by flagging the executable as it tries to pass through.
In addition, encryption and DPL help secure against accidental and malicious data loss. Plus, email archiving is critical for compliance and business-continuity purposes.
Backup helps recover from data deletion, and continuity ensures that critical emails can get sent during a potential outage.
Stop attacks that can bypass the email gateway. Artificial intelligence should be used for spear-phishing protection, and DMARC validation detects and prevents email and domain spoofing.
This top layer of email defense for every business is the most critical. Make phishing simulation and training part of security-awareness training. Ensure end users are aware of new types of attacks, show them how to identify potential threats and transform them from a security liability into a line of defense by testing the effectiveness of in-the-moment training and evaluating the users most vulnerable to attacks.