Modular Malware - Evolving Malware Authoring

Malware or malicious software is a piece of code that is used to disrupt the target or victim system. The most common method used to target the victims is Spam or to be more specific MalSpam. Attackers use a list of email addresses crawled from the internet or the list bought from the Dark Web markets.

The malware is attached to the email and is sent in huge bulk to the innocent victims form this email list. As soon as the victim opens the attachment, either the malware runs on the system or runs a dedicated script to download the malware from an external source, such as malware stored in a compromised website or from a newly registered malware author owned domain.

This is the payload that does its tasks in an un-authorized way, such as stealing sensitive information, dumping passwords and cookies from browsers, gaining access to the network to which the target system is connected, and many more. All these activities are done in stealth mode, i.e., without the user being aware of.

Traditionally, the single malware file is compiled with all its functionalities into a single payload that does the trick. But, as the software industry is evolving so does the malware authors. The latest sighting signifies the malware being pushed to the victim systems in a modular fashion.

This makes the malware more sophisticated and harder for the anti-virus vendors to detect and block the malware. This new approach of modular deployment of the malicious code in different stages is known as Modular Malware.

Modular Malware Framework

Such modular approach works in stages depicted in below figure :

Modular Malware Framework


Modular malware framework depicted in the above figure works as follows:
  • The process starts by the malware author sending an email attached with malicious file to the victim email address (this is the most common ways used today, there are other ways as well such as tricking user into downloading this malware via fraud websites, free content downloading sites having such files injected in the ads, etc.)
  • Once, the victim downloads this attached malicious file and opens it the initial payload included in this malware starts the reconnaissance task to grab the victim’s system environment details such as:
    1. Is it a sandbox environment?
    2. Anti-virus product used
    3. Permission levels granted
    4. Scouts network security
    5. Vulnerabilities with maximum exploitation success
    6. Etc…
  • Next, this scouted information of the victim’s system is then sent back to the Command & Control (C2) Server that is owned by the malware author to check the best possible way to compromise the system completely
  • The C2 server then checks if the victim system is valuable or not? In terms of, exploitation success, network security, targeting bigger audience, etc. If the answer comes out to be yes, the C2 server proceeds, otherwise the malware just terminates itself.
  • Now imagine the answer was yes, the C2 server sends the next stage payload with additional modules suited for the victim’s environment in a customized manner.
  • Now there exists a backdoor tunnel between the C2 and the Victim’s system. The malicious client stub residing at the victim’s system waits for the commands from C2 to be executed, C2 sends out commands and does the rest of the work.

After this the C2 invokes different malicious activities at the victim’s end such as sending out spam, grabbing information that is valuable such as passwords, login sessions of RDC applications (VNC, FileZilla, etc.), infecting other systems over the network (behaving like a worm) and many more malware specific functionalities.

Unlike traditional malware bundled into a single payload file, modular malware begins with a much smaller payload file that simply connects initially to the C2 server, grabs the information and sends it back to C2 server. The initial payload file is relatively small and is easy to obfuscate as well.

Modular malware is not a new technique but is being used heavily in the recent trends of malware attacks. This is often used with Banking Trojans (such as Emotet, TrickBot, CoreBot), Info Stealers (such as LokiBot, Pony) and Botnets.

So what makes this modular malware approach a more advanced threat in the forthcoming future? Here are the key points that suffice the answer:

  • Malware authors can dynamically push the new updates from the C2 server in the form of modules (mainly, functionalities wrapped inside a DLL)
  • Easy to change the signatures time to time in order to evade the signature based anti-virus detection
  • Initial payloads are quite easy to obfuscate
  • Customized behavior of the malware based on the victim’s environment and value
  • Limited exposure of the malware behavior to the malware analysts since the malware has the sandbox detection mechanism attached

As discussed earlier, the modular malware approach is not a sudden or new threat to the industry but has been there since a long time but was spotted in variety of campaigns these days. Modular malware is evolved replicating the strategies used by software development industry such as modular deployment and even quality assurance techniques to ensure the flawless execution of the attacks. There are many recent modular malware that have evolved from the past to adapt the modular nature and distribute the malicious files in new variants with additional capabilities to disrupt the normal execution of the innocent victims.

TrickBot - An Example

For example, TrickBot – A dangerous banking Trojan that grabs the information related to the banking transactions on the victim’s system has highly adapted to this modular malware approach. With the recent variant TrickBot has come up with many newly added modules for searching through the victim’s system for highly sensitive information such as email addresses, banking credentials, login sessions, cookies and many more.

This signifies that the malware author are not resting, and are evolving alongside the software development industry. And, yes making it difficult for the malware analysts to dissect the malware at the first place.

Conclusion

Modular malware is not a new thing but is increasing rapidly in order to compromise more and more victims and make it a strong business. Detecting these modular malware makes it hard since they are becoming more dynamic and adaptive to the victim's environment.

It keeps the good guys on guessing what comes in next into the next revision and or the next delivered module. Its clearly obvious that the traditional signature based detection is failing on these type of malware because of the malware quickly changing its signature at a regular interval.

Comments