Connect with us

Hi, what are you looking for?


Malware & Threats

Malware Trends: What’s Old Is Still New

Many of the most successful cybercriminals are shrewd; they want good ROI, but they don’t want to have to reinvent the wheel to get it.

Malware Code Reuse

It’s clear that cybercrime is one of the world’s most lucrative illicit industries – possibly taking the top spot. Threat actors are getting more meticulous and inventive in their ploys, even reviving outdated and long-forgotten techniques, thanks to their own brand of Key Performance Indicators linked to return on investment. After all, if a successful remake of an old classic can generate new revenue, producers will embrace it.

Many of the most successful cybercriminals are shrewd; they want good ROI, but they don’t want to have to reinvent the wheel to get it. That’s one reason they are leveraging existing infrastructure and older threats to maximize opportunity. As a security professional, you need to know what attackers are up to so you can focus your resources appropriately.

Remaking the classics

When the FortiGuard Labs research team looked at the second half of 2022, code reuse (old code being retrofitted into new versions) and the re-emergence of well-known names in the botnet, malware and wiper space – such as Emotet and GandCrab, among others – served as a reminder that threats and malware never truly go away. They merely retreat underground and wait for another opportunity. And they are available wholesale any time to anyone who wants to buy them.

In fact, the majority of the top malware observed was more than a year old. Some malware types were antiquated by cybersecurity standards. Many lawful software initiatives recycle code to create fresh applications on an established foundation, which allows room for improvement. Each version also has the potential to branch out and develop into something distinct, and the code can be improved upon, modified and released again.

What does it then look like when criminals alter their “applications” in this way? Let’s look at Emotet as an example.

Emotet just won’t quit

Advertisement. Scroll to continue reading.

Emotet, first discovered as a banking trojan in 2014, continues to wreak havoc. The malware familied, which steals sensitive and private information from victims’ computers, has infected more than a million devices and is considered one of the most dangerous threats of the decade. More recently, it’s been spread through malicious Microsoft Office files, called maldocs, which are included in phishing emails. An Excel 4.0 Macro or a VBA Macro is used to run malicious code that downloads and starts the Emotet malware as soon as the victim opens the associated document.

Researchers investigated the propensity of 98 different Emotet variations to “borrow” code amongst themselves. We discovered that Emotet had undergone significant speciation in the nine years since it originally surfaced. We discovered that these 98 variants can be divided into about six different “species” of malware using fairly sophisticated network community detection algorithms, practically all of which share at least some of their code.

What started as a banking Trojan has been adapted to become a malware distribution botnet. Emotet spreads using spam messages, and after it has accessed a system, it keeps doing so by connecting to the contacts list of that system. Emotet disappeared in January 2021, but it is resilient and came back in November of that year with a vengeance. Conti, the criminal organization based in Russia, is thought to have used Emotet up to May 2022, when the group was shut down.

Emotet is robust because it mainly depends on polymorphism for its packer, allowing it to easily get around legacy AV tools. The creators of Emotet are also changing how they behave, adjusting tactics to avoid detection and increasing the likelihood that their intended targets will open their spam emails. After seizing control of a computer, it exploits the victim’s email account and inbox to launch subsequent attacks.

Combatting the retro trend

Winning the war against code reuse and variant frequency is about response time. Your ability to defend against, identify, and neutralize such risks quickly determines the success of your security stance and your ability to keep your enemies out. Clouds, networks, endpoints and email must all have automated and centrally managed defenses. Using strategies like segmentation throughout the distributed network makes it simpler to detect and stop lateral movement across your infrastructure when architectural designs change.

Last but not least, analytics powered by machine learning will assist in correlating atypical behaviors into a warning that requires immediate assessment and action. AI/ML-based tools can also detect new mutations of virus like Emotet. For businesses determined to protect their environment, operationalizing the MITRE ATT&CK system on attackers’ TTP profiles and regularly testing fresh tactics against your cybersecurity tools are essential. Solutions and services for attack simulation can aid in gap analysis and closure.

Defeating dangerous trends

Like cable reruns of our favorite childhood TV shows, everything old is new again in the world of malware. But unlike those shows, malware is not a welcome diversion but a serious threat that must be proactively addressed. Emotet is just one example of the current malware reboot trend that organizations need to be aware of. Use the defensive strategies noted above to defend against this dangerous retread.

Written By

Derek Manky is chief security strategist and global vice president of threat intelligence at FortiGuard Labs. Derek formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. He provides thought leadership to industry, and has presented research and strategy worldwide at premier security conferences. As a cybersecurity expert, his work includes meetings with leading political figures and key policy stakeholders, including law enforcement. He is actively involved with several global threat intelligence initiatives including NATO NICP, INTERPOL Expert Working Group, the Cyber Threat Alliance (CTA) working committee and FIRST – all in effort to shape the future of actionable threat intelligence and proactive security strategy.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...