How to combat the latest and most aggressive botnets and malware

Launching more sophisticated botnets, malware, and other threats, cybercriminals are getting more ruthless, says Nuspire.

Image: iStockphoto/solarseven

2020 has proven to be a challenging year in so many ways, and that includes the area of cyberthreats. Cybercriminals have taken advantage of the coronavirus and its many side effects to unveil even more aggressive types of attacks. The third quarter of the year saw an increase in malware, especially against timely targets such as schools and healthcare facilities. A report published Thursday by security provider Nuspire discusses the latest threats and offers tips on how to fight them.

SEE: Security Awareness and Training policy (TechRepublic Premium)

Malware

As detailed in its “Q3 2020 Threat Landscape Report,” Nuspire discovered more than 3.6 million malware events over the third quarter, an increase of 128% from the second quarter. More than 43,000 malware variants were seen each day, with almost 1,200 unique ones found for the entire quarter.

The top three malware variants targeted Microsoft Office with trojans and exploits designed to infect systems through malicious macros. Visual Basic for Applications (VBA) agents are a type of trojan aimed at programs such as Microsoft Word and Excel.

Often used in malspam campaigns, this type of malware tempts recipients with phony legal documents and invoices containing macros that launch when the document is opened. The VBA agent then communicates which a command and control (C2) server that pushes the actual payload to the victim’s system.

Top five malware variants, Nuspire, Q3 2020

Image: Nuspire

Among the top five malware variants, Emotet continued to prove problematic last quarter. After trailing off during the second quarter and vanishing at the start of the third quarter, Emotet bounced back near the end of August. This infamous trojan can spread through hijacked email threads or mass spam campaigns, both methods using Word documents that contain macros with malicious code.

Botnets

Botnet activity declined slightly during the third quarter but still added up to more than 1.5 million events. The top five botnets observed by Nuspire were Necurs, Andromeda, Emotet-Cridex, ZeroAccess, and H-Worm. Known by other names such as Houdini, Dunihi, and njRAT, the H-Worm botnet generated the most traffic for the quarter. This botnet employs such tactics as remotely executing files, rebooting machines, keylogging, and stealing information from Google Chrome and Mozilla Firefox.

The ZeroAccess botnet surged in the second quarter, trailed off, and then spiked toward the end of the third quarter. Appearing in 2009 and peaking in 2013, ZeroAccess focused mostly on financial organizations through click fraud and bitcoin mining. Evolving over time, this botnet has also been used in pirated games and other illicit software and is often deployed via phishing campaigns.

Recommendations

To defend your organizations against the latest threats, Nuspire offers the following advice:

Endpoint Protection Platforms (EPP). Implement security in-depth while utilizing advanced, next-generation antivirus (NGAV). NGAV will detect malicious software not only through signatures but through heuristics and behavior. Legacy AV is strictly signature based and can only detect already known variants of malware.

Network segregation. Segregate higher risk devices from your organization’s internal network, like IoT devices. This will minimize an attacker’s ability to laterally move throughout a network.

Cybersecurity awareness training. Cybersecurity awareness training is a critical part of any security program as most infections start through email and malicious attachments. Administrators should also block email attachments that are commonly associated with malware such as .dll and .exe extensions to prevent these from reaching their end users.

Leverage threat intelligence. Threat intelligence helps organizations identify if devices are reaching out to known malicious hosts with C2 communication. C2 communication can contain commands or can be used to download additional malware. Correlation of networking logs and threat intelligence is critical to identify when this is happening to help you block malicious traffic and remediate infected machines.

Use next-generation antivirus. Botnet traffic is detected post infection, and if your antivirus product is unable to detect malicious behavior, you may miss malicious programs with no known signature. A solution such as endpoint protection and response (EPR) can assist with detection as well as provide endpoint log visibility to find malicious traffic.

Threat hunt. Threat intelligence isn’t perfect. New malicious C2 servers are found every day. Organizations should audit their network data for abnormal traffic and react if found. Should your server be reaching out to that foreign IP address?

Patch your systems ASAP. When you receive notification of a vulnerable system, attackers see those same notifications. Make every effort to apply patches to your critical systems as soon as you can in an attempt to avert malicious parties.

Use a firewall with IPS. Firewalls with an Intrusion Prevention System can block known exploits via signatures. Make sure these signatures are also being updated, or you may be lulled into a false sense of security. Utilizing a managed detection and response (MDR) program can help you with this task.

Monitor security news and vendor security bulletins. If you don’t know about an issue, you can’t fix it. Subscribe to security news feeds and your tech stack’s security bulletins. Often these bulletins include direct links to patching information for administrators.