4 minute read
Reflections on malware
MEGHAN JACQUOT
by Meghan Jacquot, Security Engineer at Inspectiv
Malicious software (malware) did not always exist. Researchers disagree on what represented the first virus. I will define it as Wabbit in 1974, because it caused computers to crash. Over time, malware changed the software scene dramatically. At first malware was often sent as a joke: think of a snake game. However, it has become much more serious and is now a standard tool of criminal syndicates and threat actor groups. This article will discuss three trends in modern malware seen in 2022.
ADAPTABILITY
If you noticed an issue on a Friday afternoon that impaired the functionality of a system how long would it take to get it fixed? I am certain many of you are thinking “It depends” and are considering criticality, uptime, services, who it impacts, etc. For many teams, a Friday afternoon issue would be fixed in the following week, or later depending on its criticality.
Threat actors are sometimes much more responsive to the issues they face. Emotet, long-lived malware, was developed by a threat actor group that has shown adaptability over the years, including in 2022.
Research group Cryptolaemus identified an update to a static file reference in Emotet that compromised its performance. When the malware was installed on endpoints the file names shifted and so the distribution chain was broken.
This was an error that needed to be fixed, and that is exactly what the threat actor group did. Its members either learned about the error through monitoring their systems or through monitoring defenders’ social media posts, and modified Emotet rapidly. The error was found on a Friday, tested, fully debugged and fixed by the following Monday. Think back to the question about how long it would take your team to fix an issue. As defenders we need to be aware of how adaptable threat actors are.
DECEPTION
A continuing trend observed in malware operations is deception. Deceptive tactics often exploit current events and this was the case in 2022. For example, in January the final phase of the Windows 11 upgrade was announced and was exploited as a current-eventbased deception by threat actors. They were able to create various deceptions masquerading as this necessary download to install their own malicious payloads. The group behind infostealer malware, RedLine Stealer, was observed using this exact tactic.
Another form of deception that researcher iamdeadlyz identified in August was more complex. Threat actors pretended to be testers for a play-to-earn (P2E)
video game, Cthulhu World. The ‘game’ appeared well-developed and legitimate, would-be testers were sent codes to test it, but these codes installed one of three infostealer malwares: AsyncRAT, RedLine Stealer or Raccoon Stealer. The website of that fake game is now defunct, but deception will continue to be a much used tactic for threat actors.
A final example of current event exploitation saw malware embedded in a jpg file of images from the James Webb telescope. The threat actors realised people were sending these beautiful images to one another and took advantage of this to add a malicious payload to an image.
BUSINESS MODELS
Another trend observed in 2022 was the continuation of complexity with malware being part of a business model. There are criminal organisations that develop malware-as-a-service (MaaS) or phishing-as-a-service (PhaaS) models other less skilled threat actors can use to commit cybercrimes. For example, a new malware, ZingoStealer, was observed by researchers and the threat actor group behind it chose to give this malware away for free. Its use gave the group data about infected endpoints they could use for additional criminal activity. They were gathering data, building a user base and beta testing their dashboards.
Another cybercriminal group offers EvilProxy PhaaS on subscription. Researchers found there were specific tutorials and methods discussed for bypassing two factor or multifactor authentication (MFA). Multiple attacks on a variety of organisations in 2022 bypassed MFA with the help of infostealer malware. For example, the July cyberattack on Twilio, which ended up affecting more than 160 of its customers, has led to additional software supply chain attacks.
Another attack that had its roots in infostealers was the September Uber cyber attack. It was initiated by credentials being found via an infostealer and progressed using social engineering. Here is a visual of a likely breakdown of the attack.
Source: Andy Robbins, shared and modified with permission.
WHAT IS A DEFENDER TO DO?
Knowledge is power. The more we can understand, model and identify threat actor activity the better we can predict and defend against it. Additionally, defenders can add in layers of defence based on threat modeling of attacker activity. If MFA and social engineering are being bypassed, then what other layers of defence exist for your network? What backup and data recovery processes do you have?
Do you make use of honeypots or other deceptions to delay a threat actor? Additionally, what methods are being used for detection? The less time an attacker has in your network the better, so early detection can be quite helpful. Malware today is no longer as innocuous as a snake game filling up your screen where an individual can troubleshoot the issue. It is more damaging and requires a team-based approach. As computer programming pioneer, Grace Hopper, said, “I’ve always been more interested in the future than in the past.” So let us look to the future and work together as defenders against malicious software.
Here’s a collection of resources related to this article and focused on malware.
www.linkedin.com/in/meghan-jacquot-carpe-diem
twitter.com/CarpeDiemT3ch
www.youtube.com/c/CarpeDiemT3ch
