Malware

In the previous article we discussed the different components of the Antimalware and how they evolved to meet the growing needs to protect endpoints. In this episode we get to conduct a deep dive on the structure of malware and how the malware has evolved to continue infiltrating organization and cause mass data leaks, denial of services and disruption of business operations.

Over the last decade malware was deployed using social engineering techniques and removable devices. This has advanced to more techniques which are exploitation of vulnerabilities and supply chain attacks. Supply chain attacks are the attacks at the vendor level where, vendors who supply software to be utilized in monitoring and business operations activities are targeted and malware injected into the patches deployed by the vendors. The consequence of exploitation of vendors is devastating as most organizations are infiltrated and it will take a longer time to conduct a thorough cleanup of the affected organization’s infrastructure. This can be evidenced by Solar Winds and Codecov supply chain attack.

Understanding the components of malware ensures that a CISO will make an informed decision in investing for an endpoint solution. During the past two decades malware had the following components: payload, propagation, communication, and persistence. The malware was attacking Windows Operating system at the time. During the COVID19 period the same malware i.e., Netwalker which was a mailto ransomware mutated to increase the attack vectors. Netwalker was a ransomware created in the 1990s which was spread through mail, however this ransomware required user’s interaction to be executed.

A case study of Enel Group, this malware was using the same technique to infect an organization. However, the malware had other components which included packers, armoring and stealth. These components ensure the malware can hide against a traditional antimalware. They also provide defensive techniques against Sandbox Analyzers and conduct file alterations. Such kind of ransomware can infiltrate any organization that relies on the basic antimalware solution. As you can see, the attackers have devised clever techniques to infiltrate the organization.

An organization must consider advanced techniques to detect, prevent and mitigate malware incidents. The need for Event Detection and Response has grown over the last one year. EDR and XDR has been able to detect such anomalies roaming on the network and killed the processes executed. In the age of A.I, attackers are getting to use the same tools utilized by security experts to defend the organization. It is vital for an organization to have a dedicated resource who monitors the cybersecurity events. The resource should be able to report and escalate the issues identified in a timely manner.

A proactive approach is the best way to establish a cyber resilience program. The approach involves threat hunting both internally and externally. Information is the key here to ensure the organization is currently evolving as the threat landscape changes. As we discuss, Internet of Things is a target of malware attacks due to its weakness in misconfigurations and lack of oversight and knowledge to protect the infrastructure. This informs all organizations to ensure all controls are implemented and tested accordingly to ascertain that the organization is protected.

Joseph Wachira, Consultant