Modular Malware: The new way of stealing your data

RapidVPN/ June 27, 2019/ Blog/

Malware – malicious software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system. We all heard of it. It comes in different shapes and sizes. We know them as viruses, trojans, spyware, ransomware, adware, botnets. Over the years, malware evolved and became so sophisticated that some of them use different modules to alter how they affect a target system. They are called modular malware.

Modular malware doesn’t pack all of its functionality into a single payload. Modular malware is methodical, it has a more cunning approach and attacks the system in 3 different stages. First, it installs the essential components that search out the system and network security about protections, vulnerabilities, chances for exploits, etc. without alerting of its presence. Then, it can dial to its command and control server (second stage). This communication server sends back further instructions with additional malware modules to execute an attack (third stage).

The malware authors can rapidly change the malware signature to evade security programs, they can react to specific targets, combine multiple malware modules and so on.

Some of the most famous modular malware are:

  • T9000 –  a data gathering tool. It captures encrypted data, takes screenshots of specific applications and specifically targets Microsoft Office product files and Skype users. Its modules are designed to evade up to 24 different security products, altering its installation process to remain undetected.
  • DanaBot – a multi-stage banking Trojan wildly known for a series of attacks against Australian banks in 2018. It is using different plugins to extend its functionality.  It contains a packet sniffing and injection plugin, a VNC remote viewing plugin, a data harvesting plugin, and a Tor plugin that allows for secure communication. It also contains a number of anti-analysis features, updated stealer and remote-control modules so it is highly attractive to threat actors.
  • Marap, AdvisorsBot, and CobInt – Three modular malware variants that are similar but have different uses.  CobInt is a part of a campaign for the banking and financial cybercrime organization Cobalt Group. Marap and AdvisorsBot are scoping out target systems for defense and network mapping, and decides should the malware download the full payload. If the target system has value, the malware calls for the second stage of the attack. Like other modular malware variants, this tree malware follows a three-step flow. The first stage is typically an email with an infected attachment that carries the initial exploit. If the exploit executes, the malware requests the second stage. The second stage carries the reconnaissance module which assesses the security measures and network landscape of the target system. If the malware finds that everything is appropriate, the third and final module downloads with the main payload.
  • DiamondFox – a real diamond in the malware market. The DiamondFox modular botnet comes with a range of plugins that include espionage tools, credential stealing tools, DDoS tools, keyloggers, spam mailers, and even a RAM scraper. Cybercriminals can buy this modular botnet package on underground forums to gain access to a wide range of advanced attack capabilities. It is regularly updated and has personalized customer support.

How modular malware has become a more sophisticated and serious threat, shows these three recent examples:

Security experts have discovered a modular malware with worm capabilities that is spreading from one server to another and mine for Monero cryptocurrency by exploiting known vulnerabilities in servers running ElasticSearch, Hadoop, Redis, Spring, Weblogic, ThinkPHP, and SqlServer. This Monero crypto miner uses Systemctl.exe, a worm module named PsMiner written in the Go language which bundles all the exploit modules used to hack into vulnerable servers it can find on the Internet.

PsMiner’s worm module also has brute force capabilities and brute force password cracking component. When malware manages to infect the server it will execute PowerShell command which downloads a WindowsUpdate.ps1 malicious payload, that drops the Monero miner as part of the final infection stage. PcMiner create an “Update service for Windows Service” scheduled task by copying the malicious WindowsUpdate.ps1 script to the Windows Temp folder. This scheduled task is designed to execute the main malware module every 10 minutes to help it keep persistence on the compromised system. The last stage payload is the open source Xmrig CPU miner that allows PSMiner to mine for Monero cryptocurrency.

The Astaroth Trojan itself is nothing new but now there is a variant that uses Avast antivirus software to gain information about the target system. The earlier versions of Astaroth would quit if Avast antivirus was detected, but this variant makes use of the LOLBins method to ‘inject’ a malicious module into one of its processes. This new Astarot trojan is using the Avast antivirus Runtime Dynamic Link Library ‘aswrundll.exe’ to load a malicious module that then loads further malicious modules and gathers information about the machine, collects and exfiltrates clipboard data, password information and more.

Aswrundll.exe is very similar to Microsoft’s own rundll32.exe, which has also been used by malicious actors over the years, as it enables the execution of DLLs by calling their exported functions. These are what has become known as a ‘Living Off the Land Binaries’ or LOLBins for short. This particular Astaroth campaign requires the victim to download a .7zip file containing a .lnk file that initializes the malware itself. This then generates a process using the Windows Management Instrumentation Command (wmic.exe) utility to initialize an XSL script processing attack. This remote script contains a well-hidden code that uses several functions to hide from antivirus defenses, it initiates the download of the payload files disguised as images and extension-less files with the Trojan modules. These techniques used in the Astaroth campaign show how truly effective these methods are at evading antivirus products.

Previously mentioned CobInt – a new malware technique making phishing attacks harder to spot. Last summer researchers at Proofpoint discovered a pair of modular downloaders with two unusual factors in their use. First, the loaders were conducting exploration on the infected system to decide whether the full payload will be downloaded. Second, the loaders, with very small and carefully obfuscated footprints, were being launched by a major criminal organization the Cobalt Group.  This is the first time that the researchers have seen this kind of a number of major actors using tiny downloaders. The new modular downloader named “CobInt” is difficult to detect if you don’t know what you’re looking for. The process of infecting a target machine is performed in three steps. Each of the three modules is small and uses multiple layers of obfuscation to avoid detection. The first module is an email with an attachment carrying the initial exploit. If the exploit code can execute, it immediately sends a request for the second-stage downloader. This downloader, written in C, will do an observation on the target system to determine whether certain security measures are running that might trap the malware. If the system is safe, then it downloads the final payload and establishes persistence on the computer. Although the process has multiple steps, the total time of execution is measured in seconds. So far the targets are Russia and the former Soviet republics of the Commonwealth of Independent States, but it can lure other malicious actors around the world.

So far, there is no specific tool that can entirely protect you from modular malware variant. All you can do is keep your system up to date and invest in anti-virus and anti-malware software.