Malware comes in all shapes and sizes. Furthermore, the sophistication of malware has grown considerably over the years. Attackers realize that trying to fit every aspect of their malicious package into a single payload isn't always the most efficient way.

Over time, malware has become modular. That is, some malware variants can use different modules to alter how they affect a target system. So, what is modular malware and how does it work?

What Is Modular Malware?

Modular malware is an advanced threat that attacks a system in different stages. Instead of blasting through the front door, modular malware takes a subtler approach.

It does that by only installing the essential components first. Then, instead of causing a fanfare and alerting users to its presence, the first module scouts out the system and network security; who is in charge, what protections are running, where the malware can find vulnerabilities, what exploits have the best chance of success, and so on.

After successfully scoping out the local environment, the first stage malware module can dial home to its command and control (C2) server. The C2 can then send back further instructions along with additional malware modules to take advantage of the specific environment the malware is operating in.

Modular malware has several benefits in comparison with malware that packs all of its functionality into a single payload.

  • The malware author can rapidly change the malware signature to evade antivirus and other security programs.
  • Modular malware allows extensive functionality for a variety of environments. In that, authors can react to specific targets, or alternatively, earmark specific modules for use in particular environments.
  • The initial modules are tiny and somewhat easier to obfuscate.
  • Combining multiple malware modules keeps security researchers guessing as to what will come next.

Modular malware isn't a sudden new threat. Malware developers have made efficient use of modular malware programs for a long time. The difference is that security researchers are encountering more modular malware in a wider range of situations. Researchers have also spotted the enormous Necurs botnet (infamous for distributing the Dridex and Locky ransomware variants) distributing modular malware payloads. (What is a botnet, anyway?)

Modular Malware Examples

There are some very interesting modular malware examples. Here are a few for you to consider.

VPNFilter

VPNFilter is a recent malware variant that attacks routers and Internet of Things (IoT) devices. The malware works in three stages.

The first stage malware contacts a command and control server to download the stage two module. The second stage module collects data, executes commands, and can interfere with device management (including the ability to "brick" a router, IoT, or NAS device). The second stage can also download third stage modules, which work like plugins for the second stage. The stage three modules include a packet sniffer for SCADA traffic, a packet injection module, and a module that allows the stage 2 malware to communicate using the Tor network.

You can learn more about VPNFilter, where it came from, and how to spot it right here.

T9000

Palo Alto Networks security researchers uncovered the T9000 malware (no relation to Terminator or Skynet… or is it?!).

T9000 is an intelligence and data gathering tool. Once installed, T9000 lets an attacker "capture encrypted data, take screenshots of specific applications and specifically target Skype users," as well as Microsoft Office product files. T9000 comes with different modules designed to evade up-to 24 different security products, altering its installation process to remain under the radar.

DanaBot

DanaBot is a multi-stage banking Trojan with different plugins that the author uses to extend its functionality. (How to swiftly and effectively deal with remote access Trojans.) For instance, in May 2018, DanaBot was spotted in a series of attacks against Australian banks. At the time, researchers uncovered a packet sniffing and injection plugin, a VNC remote viewing plugin, a data harvesting plugin, and a Tor plugin that allows for secure communication.

"DanaBot is a banking Trojan, meaning that it is necessarily geo-targeted to a degree," reads the Proofpoint DanaBot blog entry. "Adoption by high-volume actors, though, as we saw in the US campaign, suggests active development, geographic expansion, and ongoing threat actor interest in the malware. The malware itself contains a number of anti-analysis features, as well as updated stealer and remote-control modules, further increasing its attractiveness and utility to threat actors."

Marap, AdvisorsBot, and CobInt

I'm combining three modular malware variants into one section as the awesome security researchers at Proofpoint discovered all three. The modular malware variants bear similarities but have different uses. Furthermore, CobInt forms part of a campaign for the Cobalt Group, a criminal organization with ties to a long list of banking and financial cybercrime.

Marap and AdvisorsBot were both spotted scoping out target systems for defense and network mapping, and whether the malware should download the full payload. If the target system is of sufficient interest (e.g., has value), the malware calls for the second stage of the attack.

Like other modular malware variants, Marap, AdvisorsBot, and CobInt follow a three-step flow. The first stage is typically an email with an infected attachment that carries the initial exploit. If the exploit executes, the malware immediately requests the second stage. The second stage carries the reconnaissance module which assesses the security measures and network landscape of the target system. If the malware considers everything is suitable, the third and final module downloads, including the main payload.

Proofpoint anaylsis of:

Mayhem

Mayhem is a slightly older modular malware variant, first coming to light back in 2014. However, Mayhem remains a great modular malware example. The malware, uncovered by security researchers at Yandex, targets Linux and Unix web servers. It installs via a malicious PHP script.

Once installed, the script can call upon several plugins that define the malware's ultimate use.

The plugins include a brute force password cracker that targets FTP, WordPress, and Joomla accounts, a web crawler to search for other vulnerable servers, and a tool that exploits the Heartbleed OpenSLL vulnerability.

DiamondFox

Our final modular malware variant is also one of the most complete. It is also one of the most worrying, for a couple of reasons.

Reason one: DiamondFox is a modular botnet for sale on various underground forums. Potential cybercriminals can purchase the DiamondFox modular botnet package to gain access to a wide range of advanced attack capabilities. The tool is regularly updated and, like all good online services, has personalized customer support. (It even has a change-log!)

Reason two: the DiamondFox modular botnet comes with a range of plugins. These are turned on and off through a dashboard that wouldn't be out of place as a smart home app. Plugins include tailored espionage tools, credential stealing tools, DDoS tools, keyloggers, spam mailers, and even a RAM scraper.

Warning: the following video has music you may or may not enjoy.

How to Stop a Modular Malware Attack

At the current time, no specific tool protects against a specific modular malware variant. Also, some modular malware variants have limited geographic scope. For instance, Marap, AdvisorsBot, and CobInt are primarily found in Russia and CIS nations.

That said, the Proofpoint researchers pointed out that despite current geographical limitations, if other criminals see such an established criminal organization using modular malware, others will certainly follow suit.

Awareness as to how modular malware arrives on your system is important. The majority use infected email attachments, usually containing a Microsoft Office document with a malicious VBA script. Attackers use this method because it is easy to send infected emails to millions of potential targets. Furthermore, the initial exploit is tiny and easily disguised as an Office file.

As ever, make sure you keep your system up to date, and consider investing in Malwarebytes Premium---it's worth it!