Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Malware Trends: What’s Old Is Still New

Many of the most successful cybercriminals are shrewd; they want good ROI, but they don’t want to have to reinvent the wheel to get it.

Ransomware Report

It’s clear that cybercrime is one of the world’s most lucrative illicit industries – possibly taking the top spot. Threat actors are getting more meticulous and inventive in their ploys, even reviving outdated and long-forgotten techniques, thanks to their own brand of Key Performance Indicators linked to return on investment. After all, if a successful remake of an old classic can generate new revenue, producers will embrace it.

Many of the most successful cybercriminals are shrewd; they want good ROI, but they don’t want to have to reinvent the wheel to get it. That’s one reason they are leveraging existing infrastructure and older threats to maximize opportunity. As a security professional, you need to know what attackers are up to so you can focus your resources appropriately.

Remaking the classics

When the FortiGuard Labs research team looked at the second half of 2022, code reuse (old code being retrofitted into new versions) and the re-emergence of well-known names in the botnet, malware and wiper space – such as Emotet and GandCrab, among others – served as a reminder that threats and malware never truly go away. They merely retreat underground and wait for another opportunity. And they are available wholesale any time to anyone who wants to buy them.

In fact, the majority of the top malware observed was more than a year old. Some malware types were antiquated by cybersecurity standards. Many lawful software initiatives recycle code to create fresh applications on an established foundation, which allows room for improvement. Each version also has the potential to branch out and develop into something distinct, and the code can be improved upon, modified and released again.

What does it then look like when criminals alter their “applications” in this way? Let’s look at Emotet as an example.

Emotet just won’t quit

Emotet, first discovered as a banking trojan in 2014, continues to wreak havoc. The malware familied, which steals sensitive and private information from victims’ computers, has infected more than a million devices and is considered one of the most dangerous threats of the decade. More recently, it’s been spread through malicious Microsoft Office files, called maldocs, which are included in phishing emails. An Excel 4.0 Macro or a VBA Macro is used to run malicious code that downloads and starts the Emotet malware as soon as the victim opens the associated document.

Advertisement. Scroll to continue reading.

Researchers investigated the propensity of 98 different Emotet variations to “borrow” code amongst themselves. We discovered that Emotet had undergone significant speciation in the nine years since it originally surfaced. We discovered that these 98 variants can be divided into about six different “species” of malware using fairly sophisticated network community detection algorithms, practically all of which share at least some of their code.

What started as a banking Trojan has been adapted to become a malware distribution botnet. Emotet spreads using spam messages, and after it has accessed a system, it keeps doing so by connecting to the contacts list of that system. Emotet disappeared in January 2021, but it is resilient and came back in November of that year with a vengeance. Conti, the criminal organization based in Russia, is thought to have used Emotet up to May 2022, when the group was shut down.

Emotet is robust because it mainly depends on polymorphism for its packer, allowing it to easily get around legacy AV tools. The creators of Emotet are also changing how they behave, adjusting tactics to avoid detection and increasing the likelihood that their intended targets will open their spam emails. After seizing control of a computer, it exploits the victim’s email account and inbox to launch subsequent attacks.

Combatting the retro trend

Winning the war against code reuse and variant frequency is about response time. Your ability to defend against, identify, and neutralize such risks quickly determines the success of your security stance and your ability to keep your enemies out. Clouds, networks, endpoints and email must all have automated and centrally managed defenses. Using strategies like segmentation throughout the distributed network makes it simpler to detect and stop lateral movement across your infrastructure when architectural designs change.

Last but not least, analytics powered by machine learning will assist in correlating atypical behaviors into a warning that requires immediate assessment and action. AI/ML-based tools can also detect new mutations of virus like Emotet. For businesses determined to protect their environment, operationalizing the MITRE ATT&CK system on attackers’ TTP profiles and regularly testing fresh tactics against your cybersecurity tools are essential. Solutions and services for attack simulation can aid in gap analysis and closure.

Defeating dangerous trends

Like cable reruns of our favorite childhood TV shows, everything old is new again in the world of malware. But unlike those shows, malware is not a welcome diversion but a serious threat that must be proactively addressed. Emotet is just one example of the current malware reboot trend that organizations need to be aware of. Use the defensive strategies noted above to defend against this dangerous retread.

Written By

Derek Manky is chief security strategist and global vice president of threat intelligence at FortiGuard Labs. Derek formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. He provides thought leadership to industry, and has presented research and strategy worldwide at premier security conferences. As a cybersecurity expert, his work includes meetings with leading political figures and key policy stakeholders, including law enforcement. He is actively involved with several global threat intelligence initiatives including NATO NICP, INTERPOL Expert Working Group, the Cyber Threat Alliance (CTA) working committee and FIRST – all in effort to shape the future of actionable threat intelligence and proactive security strategy.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.