By Shira Landau, Editor-in-Chief, CyberTalk.org.
EXECUTIVE SUMMARY:
Across the past decade, cyber security researchers have observed an alarming 87% surge in malware infections. An estimated 560,000 new pieces of malware are detected daily, and more than 1 billion malware programs are thought to be circulating across the web.
The situation becomes even more disconcerting if we narrow our focus to the current year. In 2023, malware threats have increased by 110% on a quarter-over-quarter basis, reaching 125.7 million inboxes in Q3; a significant increase from 60 million in Q2.
These unsettling trends warrant attention. In essence, current malware levels have surpassed previous thresholds, underscoring the importance of staying informed and vigilant in order to safeguard people, processes and technologies.
Here’s a comprehensive overview of five emerging malware threats, each one more stealthy and insidious than the last.
5 emerging malware threats
1. GootBot. The GootLoader group has developed a new malware variant for command-and-control (C2) and lateral movement —dubbed “GootBot”— that’s been observed in campaigns that leverage SEO-poisoned searches for business documents.
Researchers note that GootBot sends victims to compromised sites that look like legitimate forums. Once there, users are deceived into downloading the initial payload as an archive file.
After infection, large quantities of GootBot implants are disseminated throughout corporate environments. Each implant leverages a different hardcoded C2 server, making the attack difficult to block.
Active since 2014, the Gootloader group often relies on a combination of SEO poisoning and compromised WordPress sites in order to deliver malware.
2. BunnyLoader. This newly observed Malware-as-a-Service tool is under active development. Capabilities are evolving, but generally include keylogging, clipboard monitoring, and remote command execution (RCE).
Any threat actor can purchase a basic version of the BunnyLoader for $250.00 USD on the dark web, while a more sophisticated version of the tool is available at a higher price-point.
At the core of BunnyLoader’s operations is the C2 panel, which oversees an array of nefarious tasks; keylogging, credential harvesting…etc. The C2 panel also offers statistics, client tracking and task management. In turn, the threat actor can closely control and monitor infected machines.
Technical analyses have revealed that BunnyLoader is equipped with persistence mechanisms and anti-sandboxing tactics. The malware uses various techniques to evade analysis and detection.
3. LionTail Malware. In its most recent campaign, a group known as Scarred Manticore has been observed using LionTail; a set of custom loaders and in-memory shellcode payloads.
These do not have any overlap with known malware families, enabling attackers to blend in with legitimate traffic and to remain undetected.
As part of the framework, Check Point discovered that Scarred Manticore deploys the passive backdoor LionTail on Windows servers in order to execute commands via HTTP requests and to run payloads that attackers send to the URLs specified in the malware’s configuration.
The LionTail framework has been used in attacks targeting government, military, telecommunication and financial organizations. These groups have been located in Iraq, Israel, Jordan, Kuwait, Oman, Saudi Arabia and the United Arab Emirates. A regional affiliate of a global non-profit network was also compromised.
This malware is believed to have been developed by nation-state actors and the group that deploys it is primarily focused on data extraction, covert access and other espionage-related activities.
4. SecuriDropper. This Dropper-as-a-Service (DaaS) operation infects mobile Android devices by posing as a legitimate app. In most instances, the app mimics a Google App, an Android update, a video player, a game or even a security app.
Once downloaded, the dropper installs a payload, which is some form of malware. The dropper does this by securing access to the “Read & Write External Storage” and the “Install & Delete Packages” permissions.
A second-stage payload is installed through user deception, as the user is prompted to tap a “Reinstall” button after seeing a fake error message about the app’s installation.
Researchers have observed SpyNote malware distributed through SecuriDropper. In one instance, the entire operation was disguised within an imitation Google Translate app.
In other instances, SecuriDropper was observed distributing banking trojans disguised as the Chrome browser, targeting hundreds of cryptocurrency and e-banking applications.
5. Jupyter infostealer. A wave of new incidents involving a Jupyter infostealer have affected organizations in the education, healthcare and government sectors.
The malware enables hackers to steal credentials and to exfiltrate data. Although this malware has technically existed since 2020, new variants continue to evolve with simple, yet impactful (and unsettling) changes.
In the most recent incidents, the researchers found the infostealer posing as legitimately signed files, using a valid certificate to avoid scrutiny and to enable initial access to a victim’s machine.
Jupyter infections occur via malicious websites, drive-by downloads, and phishing emails. Recently, an online copy of the U.S. government’s budget for 2024 was found to be infected.
Further information
Contending with the amorphous landscape that is malicious software requires a proactive and innovative approach to cyber security.
Remain resilient in the face of relentless malware threats. Ensure that your organization leverages cyber security solutions that provide comprehensive coverage across all threat vectors.
Solutions should encompass a wide spectrum of preventative security layers; from firewalls, to intrusion prevention systems, to advanced endpoint protection. Learn more here.
For further malware reading, click here. Lastly, to receive timely cyber security insights and cutting-edge analyses, please sign up for the cybertalk.org newsletter.
