Latest malware tries to avoid detection and maintain persistence

Malware is constantly evolving in an attempt to steal data or make money for the people behind it. A new report by Malwarebytes Labs reveals the latest shift towards attacks that can avoid detection but also stay on a system to be reactivated later.

Using fileless malware is just one example among many attack methodologies currently evading traditional security defenses and maintaining persistence.

Among current threats from this new generation of malware are the banking trojan combined with a downloader and botnet known as Emotet, along with its commonly seen accomplice TrickBot. These threats primarily use email distribution with malicious Office documents using PowerShell attacks to download and launch the malware.

Additional malicious files downloaded by the infection script are frequently mutated on the server side, so the same Emotet dropper is seldom seen twice. Between January and September 2018, Emotet malware was detected and removed more than 1.5 million times using Malwarebytes. Emotet is most active in the United States, however, there has been an increase in activity from other countries, including the UK, Philippines, and Canada.

Another new generation player is the Sorebrect ransomware. This is a completely fileless ransomware infection that also targets network shares. Although not widespread as yet, Sorebrect is most known for infecting the networks of Middle Eastern countries in 2017, primarily attacking organizations in the manufacturing industry.

While we think of malware as autonomous, some infections simply provide a tool for the attacker to activate manually. One such is the SamSam ransomware. After breaking into the network through known vulnerabilities or misconfigured services, SamSam is launched by attackers in an entirely manual process using batch scripts. It's difficult to remove because it has a feature allowing attackers to disable security tools.

"A handful of malware families have evolved to be hard to detect, hard to remove, and good at either evasion or duplication," says Adam Kujawa, director of Malwarebytes Labs. "Sorebrect is dangerous because it's one of the first fileless ransomwares. It’s currently affecting the West as it needs to be installed by an exploit kit, but we’re seeing a lot of this activity happening in Asia. Partly this is because of a greater market share of Internet Explorer and people are using outdated versions making them more vulnerable."

You can read more and find out what protection methods are effective against these threats on the Malwarebytes Blog.

Photo Credit: andriano.cz/Shutterstock