Barracuda researchers have noted a spike in the use of modular malware since the start of 2019, with recent research on email attacks targeting their customers revealing over 150,000 unique malicious files in just the first 5 months of the year - but what exactly is modular malware, and what increased threat does this pose to businesses in comparison to traditional malware types?
What is Modular Malware?
Modular malware is an advanced threat that uses a multi-stage approach to attack targeted systems. This means that, instead of packing all of its operations into a single payload, modular malware will try to fly under the radar by gradually releasing its attack one stage at a time.
These different 'stages' can differ between various malware strains, but in general they all begin with a first stage that installs the strain's main component before it scouts out the system and network security to find vulnerabilities and other essential insights. The findings from this initial scope of the environment are then used to influence future modules, creating a completely personalised attack.
Comparison with Traditional Malware
Although modular malware isn't a completely new threat, the adaptive nature of its approach makes it much harder to detect, and potentially much more damaging to target organisations. To better understand the heightened threat that comes with this attack method we have listed the various advantages of modular malware compared to traditional tactics.
- Personal: The attacker can gain quality insights into the company's staff, operations, exploits, and more in a short time after the initial infection
- Reactive: Based off the insights gathered in the first stage, the malware author can quickly alter the malicious signature to evade antivirus protection and other relevant security solutions
- Subtle: Unlike alternative approaches, the modules that are used for the initial infection stage are very small, making it somewhat easier for them to go unnoticed
- Dynamic: With a variety of different module combinations that can be released in different orders it's near-impossible for security researchers to pin down a pattern than can help identify future attacks
Real World Examples
In August 2018 security researchers noted millions of phishing emails, primarily targeting financial institutions, with all of them leading to the same malware payload - Marap. These emails all included an attachment of some kind containing the malicious macros that would lead to the execution of Marap. Researchers were most concerned about the ability to download other modules and payloads, saying "the modular nature allows actors to add new capabilities as they become available or download additional modules post infection. To date, we have observed it download a system fingerprinting module that performs simple reconnaissance."
Established since 2016, Trickbot is a perfect example of how it's ever-changing modular structure allows it to continually evade detection and adapt to the changing threat climate, with attacks still being seen 3 years on. Trickbot is often described as a banking malware, but in reality this describes just one of its many modules taht have been developed over the years, including a password grabber, system/network reconnaissance, and code injection.
A look at Trickbot's typical infection chain
Detecting and Blocking Modular Malware
Advanced malware attacks of this kind are typically delivered via email - often through spear phishing campaigns - but due to their ability to alter their malicious signature and more, these attacks can't be stopped by gateway security alone. Instead, a multi-layered strategy is needed to effectively prevent these targeted attacks - malware and otherwise.
For more information on building a multi-layered strategy of this kind, take a look at Barracuda's Total Email Protection stack, which combines the functionality of 3 different email security solutions to provide users with gateway protection, inbox defence, user awareness training, and forensics & incident response.
Barracuda’s suite of purpose-built security solutions builds on years of experience and leverages a global network to provide an easy, economical, scalable, and powerful way for organisations to address these advanced threats.