Malware represents a tremendous cyber security threat across all environments and ecosystems. Any piece of intrusive and destructive software program —especially those that compromise device functions, steal data, spy on users, and generally cause chaos— constitutes a type of malware.
In terms of malware varieties, there is spyware, ransomware, adware, viruses, bots, botnets, rootkits, keyloggers and Trojan horses. In most cases, malware is spread via vulnerable software, file shares, websites, advertisements, email attachments, or malicious links. Malware-based attacks pose a significant risk to 80% of small-to-medium sized businesses, while larger organizations are becoming increasingly vulnerable to dangerous and damaging incidents.
Across the past decade, cyber security researchers have observed an alarming 87% surge in malware infections. An estimated 560,000 new pieces of malware are detected daily, and more than 1 billion malware programs are thought to be circulating across the web.
The situation becomes even more disconcerting if we narrow our focus to the current year. In 2023, malware threats have increased by 110% on a quarter-over-quarter basis, reaching 125.7 million inboxes in Q3; a significant increase from 60 million in Q2.
In India, where an organization is being attacked on average 2118 times per week in the last 6 months, compared to 1097 attacks per organization globally, according to Check Point Threat Intelligence Report, which highlights the top malware in India to be Formbook, an infostealer which is a type of malware designed to harvest sensitive date from a compromised system, with the data often sold on the black market to other threat actors, who may use the information to commit fraud or gain unauthorized access to other networks and systems for malicious gains.
These unsettling trends warrant attention. In essence, current malware levels have surpassed previous thresholds, underscoring the importance of staying informed and vigilant in order to safeguard people, processes and technologies.
Together with researchers from the Check Point Research team, I highlight an overview of five emerging malware threats, each one more stealthy and dangerous than the last.
5 emerging malware threats
- GootBot.The GootLoader group has developed a new malware variant for command-and-control (C2) and lateral movement —dubbed “GootBot”— that’s been observed in campaigns that leverage SEO-poisoned searches for business documents.
Researchers note that GootBot sends victims to compromised sites that look like legitimate forums. Once there, users are deceived into downloading the initial payload as an archive file.
After infection, large quantities of GootBot implants are disseminated throughout corporate environments. Each implant leverages a different hardcoded C2 server, making the attack difficult to block.
Active since 2014, the Gootloader group often relies on a combination of SEO poisoning and compromised WordPress sites in order to deliver malware.
- BunnyLoader.This newly observed Malware-as-a-Service tool is under active development. Capabilities are evolving, but generally include keylogging, clipboard monitoring, and remote command execution (RCE).
Any threat actor can purchase a basic version of the BunnyLoader for $250.00 USD on the dark web, while a more sophisticated version of the tool is available at a higher price-point.
At the core of BunnyLoader’s operations is the C2 panel, which oversees an array of nefarious tasks; keylogging, credential harvesting…etc. The C2 panel also offers statistics, client tracking and task management. In turn, the threat actor can closely control and monitor infected machines.
Technical analysis have revealed that BunnyLoader is equipped with persistence mechanisms and anti-sandboxing tactics. The malware uses various techniques to evade analysis and detection.
- LionTail Malware. In its most recent campaign, a group known as Scarred Manticore has been observed using LionTail; a set of custom loaders and in-memory shellcode payloads.
These do not have any overlap with known malware families, enabling attackers to blend in with legitimate traffic and to remain undetected.
As part of the framework, Check Point discovered that Scarred Manticore deploys the passive backdoor LionTail on Windows servers in order to execute commands via HTTP requests and to run payloads that attackers send to the URLs specified in the malware’s configuration.
The LionTail framework has been used in attacks targeting government, military, telecommunication and financial organizations. These groups have been located in Iraq, Israel, Jordan, Kuwait, Oman, Saudi Arabia and the United Arab Emirates. A regional affiliate of a global non-profit network was also compromised.
This malware is believed to have been developed by nation-state actors and the group that deploys it is primarily focused on data extraction, covert access and other espionage-related activities.
- SecuriDropper.This Dropper-as-a-Service (DaaS) operation infects mobile Android devices by posing as a legitimate app. In most instances, the app mimics a Google App, an Android update, a video player, a game or even a security app.
Once downloaded, the dropper installs a payload, which is some form of malware. The dropper does this by securing access to the “Read & Write External Storage” and the “Install & Delete Packages” permissions.
A second-stage payload is installed through user deception, as the user is prompted to tap a “Reinstall” button after seeing a fake error message about the app’s installation.
Researchers have observed SpyNote malware distributed through SecuriDropper. In one instance, the entire operation was disguised within an imitation Google Translate app.
In other instances, SecuriDropper was observed distributing banking trojans disguised as the Chrome browser, targeting hundreds of cryptocurrency and e-banking applications.
- Jupyter infostealer.A wave of new incidents involving a Jupyter infostealer have affected organizations in the education, healthcare and government sectors.
The malware enables hackers to steal credentials and to exfiltrate data. Although this malware has technically existed since 2020, new variants continue to evolve with simple, yet impactful (and unsettling) changes.
In the most recent incidents, the researchers found the infostealer posing as legitimately signed files, using a valid certificate to avoid scrutiny and to enable initial access to a victim’s machine.
Jupyter infections occur via malicious websites, drive-by downloads, and phishing emails. Recently, an online copy of the U.S. government’s budget for 2024 was found to be infected.
Contending with the amorphous landscape that is malicious software requires a proactive and innovative approach to cyber security.
To remain resilient in the face of relentless malware threats and to ensure that organizations leverage cyber security solutions that provide comprehensive coverage across all threat vectors. These solutions should encompass a wide spectrum of preventative security layers; from firewalls, to intrusion prevention systems, to advanced endpoint protection to ensure cyber protection and resiliency.