Old Threats, New Tricks: Why Legacy Malware Keeps Infiltrating Networks

By: Cymulate Research Lab

December 14, 2023

Abstract: Despite being years old and relying on well-known tactics, older malware attacks are still infiltrating organizations through reused code and ineffective legacy defenses. This blog post analyzes real-world examples and outlines steps to modernize detection capabilities.  Legacy malware strains continue evading organizations defenses through reused code, seemingly trustworthy defenses fail in blocking some revamped well-known CVEs, malware and techniques.  Although criminal in nature, threat actors and threat groups are business models. They have a financial interest in extending their malware shelf life by re-using, and re-packaging them and exploring new market strategies. Their technical methods include recompiling code, morph binaries, and generating fresh signatures that bypass signature-dependent anti-virus. Their business models include creating easy-to-use malware kits and licensing their products as malware-as-a-service. 

Phobos – the Story of an Older Malware Remaining a Threat  

First observed in 2019, Phobos ransomware is an evolution of the earlier Dharma and Crisis ransomware strains. Since 2019, Phobos has resurfaced with new developments deployed by the Aidbase ransomware group.  

The Nature of Dharma and Crisis: Precursors to Phobos 

Dharma and Crysis, the precursors to Phobos, were characterized as “spray and pray” ransomware. Unlike targeted ransomware attacks by groups like Cuba ransomware or Club, which focus on large organizations through affiliate programs, Dharma and Crisis were more indiscriminate. Their binaries were leaked, which allowed random actors to deploy these ransomware strains against a wide range of targets. This scattered-focused technique reached smaller targets, where the modest ransom was compensated by their higher number.   

Aidbase: A Shift in Ransomware Tactics 

Aidbase, the group behind later Phobos attacks, marks a shift in ransomware tactics. Unlike the random targeting of Dharma and Crisis, Aidbase operates with a network of affiliates, resembling a ransomware cartel. This structured approach allows for more coordinated and potentially damaging attacks. 

Phobos Latest Iteration    

Discovered by Qualys at the end of November 2023, a new strain of Phobos impersonates VX-Underground. a well-known open-source community that shares malware samples and research. Phobos uses a deceptive file name, “AntiRecuvaAndDB.exe,” mimicking the legitimate data recovery software Recuva, to distribute its payload. This tactic has been previously used by other threat actors and is now adopted by Phobos.  Phobos is compressed by UPX Packer and targets 32-bit architectures. Upon execution, Phobos displays characteristics typical of ransomware, such as checking for Cyrillic alphabets to halt its process (to ensure friendly targets are not attacked) and terminating specific system processes to facilitate file encryption without interference.  Phobos also takes steps to prevent system recovery by deleting shadow copies, disabling Windows Recovery, and turning off the Windows Firewall. Once active, it encrypts files on the victim’s machine, appending a “.VXUG” extension to impersonate VX-Underground. It achieves persistence by adding itself to the Startup directory and the Run registry key.  The ransomware then drops ransom notes in various directories, including a pop-up HTA note designed to panic the victim.  

Why Do Older Attacks Still Succeed 

Despite not being a new threat, Phobos and other old malware continue to infiltrate and cause damage. This persistence can be attributed to several factors including: 
  • Signature-Based Malware Detection Limitations 
  • Heuristic and Behavioral-Based Anti-Malware 
  • Organizational Sprawl and Resulting Defense Gaps 
  • New Users and Systems 

Signature-Based Malware Detection Limitations 

Many organizations rely on signature-based malware detection. Threat actors with access to leaked binaries can manipulate the compiled code and alter its signature each time it is recompiled. This technique can bypass signature-based detection systems, which often find it challenging to adapt quickly to the constantly evolving signatures. 

Heuristic and Behavioral-Based Anti-Malware 

Although heuristic or behavior-based anti-malware systems offer improved efficacy, they are not without their limitations. Threat actors can circumvent heuristic analysis with tactics such as rearranging the order of code elements, employing diverse obfuscation techniques, and reconstructing malware into several distinct binaries. These methods effectively challenge the ability of heuristic evaluations to accurately identify and counteract malicious components. 

Organizational Sprawl and Resulting Defense Gaps 

Organizational sprawl, a byproduct of infrastructure expansion and frequent changes, is often compounded by the limited resources available to security teams. This leads to security professionals, particularly blue teams, being stretched thin, which increases the likelihood of overlooking potential security gaps. These gaps can result from inadequate configuration of new applications, users, or systems. Additionally, the continuous pressure to update infrastructure and deliver revenue-generating services can inadvertently lead to neglecting essential security updates and policy modifications.  

Furthermore, organizational sprawl intensifies with the growing dependence on third-party services. The integration of third-party appliances, each equipped with their unique configurations, applications, and defense mechanisms, demands rigorous security evaluations. Without such assessments, these additions can inadvertently introduce new attack surfaces into the existing infrastructure. This expansion not only complicates the security landscape but also amplifies the potential for vulnerabilities that adversaries could exploit. 

New Users and Systems 

Furthermore, organizational sprawl intensifies with the growing dependence on third-party services. The integration of third-party appliances, each equipped with their unique configurations, applications, and defense mechanisms, demands rigorous security evaluations. Without such assessments, these additions can inadvertently introduce new attack surfaces into the existing infrastructure. This expansion not only complicates the security landscape but also amplifies the potential for vulnerabilities that adversaries could exploit. 

The well-known potential impact of a breach on a business bottom-line – business interruption, loss of customer trust, mitigation costs, legal consequences ranging from fines to damages, etc. – are not the only ones anymore. More recent regulatory changes are looming and might lead to subsequent much heavier losses. 

No Renewal of Federal Contracts 

Instead of a slap on the wrist like a $250,000 fine for a company with $5 billion in revenue, failure to address and clean up identified attack surface scan have far more severe consequences. If post-breach forensic points at a breach due to an issue identified by CISA, and for which they have released an alert, it can result in the non-renewal of federal contracts. 

Shoring up Defenses Against Reconditioned Attacks 

Defending against revamped attacks requires a multifaceted approach consistent with the recommended defense in depth best practice. The defense in depth principle relates to creating and maintaining multiple layers of security controls that protect against different attack vectors.  

Complement Signature-Based Detection with Behavioral Analytics and Heuristics 

Adding behavioral analytics and heuristics to signature-based detection methods enhances detection, reduces false positives and is consistent with the defense in depth principle by providing two layers of protection.  To verify that those tools perform as intended, attack surface management (ASM) tools using an offensive approach test the system resilience and identifies security gaps.  With its dual internal and external capabilities, Cymulate ASM checks for exposed assets, but also for internal exploitable assets and attack paths weaknesses. 

Keep Security Controls Up to Date 

Maintaining robust cybersecurity defenses requires continuously updating and maintaining security controls, such as firewalls, antivirus software, and other intrusion detection systems and lateral movement prevention.   Frequent validation of control effectiveness is essential to avoid a sudden or gradual security drift. Tools like Breach and Attack Simulation (BAS) simulate real-world cyberattacks to assess security controls’ resilience and readiness and provide actionable guidance to fine-tune defenses.  The success of these older attacks is a stark reminder of the limitations of traditional signature-based detection methods and the importance of incorporating and validating more dynamic approaches such as behavioral analytics and heuristics.   Leveraging tools like Cymulate’s Attack Surface Management and Breach and Attack Simulation to proactively identify and address vulnerabilities facilities and automates the validation process.  For technical discussion on legacy malware and their challenges to maintaining cyber resilience, check out the webinar featuring Cymulate threat researcher Dan Lisichkin and security architect Mike DeNapoli. 
Watch Here
Subscribe