Why Legacy Malware Keeps Succefully Attacking Networks

Abstract: Despite being years old and relying on well-known tactics, older malware attacks are still infiltrating organizations through reused code and ineffective legacy defenses. This blog post analyzes real-world examples and outlines steps to modernize detection capabilities. 

Legacy Malware: A Persistent Threat

Legacy malware strains continue evading organizations' defenses through reused code, seemingly trustworthy defenses fail in blocking some revamped well-known CVEs, malware and techniques. 

Malware as a Business Model

Although criminal in nature, threat actors and threat groups are business models. They have a financial interest in extending their malware shelf life by re-using, and re-packaging them and exploring new market strategies. Their technical methods include recompiling code, morph binaries, and generating fresh signatures that bypass signature-dependent anti-virus. Their business models include creating easy-to-use malware kits and licensing their products as malware-as-a-service. 

Case Study: The Resilience of Phobos Ransomware

First observed in 2019, Phobos ransomware is an evolution of the earlier Dharma and Crisis ransomware strains. Since 2019, Phobos has resurfaced with new developments deployed by the Aidbase ransomware group.  

The Nature of Dharma and Crisis: Precursors to Phobos 

Dharma and Crysis, the precursors to Phobos, were characterized as "spray and pray" ransomware. Unlike targeted ransomware attacks by groups like Cuba ransomware or Club, which focus on large organizations through affiliate programs, Dharma and Crisis were more indiscriminate. Their binaries were leaked, which allowed random actors to deploy these ransomware strains against a wide range of targets. This scattered-focused technique reached smaller targets, where the modest ransom was compensated by their higher number.   

Aidbase: A Shift in Ransomware Tactics 

Aidbase, the group behind later Phobos attacks, marks a shift in ransomware tactics. Unlike the random targeting of Dharma and Crisis, Aidbase operates with a network of affiliates, resembling a ransomware cartel. This structured approach allows for more coordinated and potentially damaging attacks. 

Phobos: Latest Iteration

In late 2023, researchers discovered a new strain of Phobos mimicking VX-Underground, a legitimate open-source community sharing malware research. Key characteristics include:

• Delivery Tactics: Disguised as "AntiRecuvaAndDB.exe," mimicking legitimate data recovery software.
• Technical Features: Compressed with UPX Packer, targeting 32-bit architectures.
• Ransomware Behavior: Encrypts files, appending a ".VXUG" extension to impersonate VX-Underground, deletes shadow copies, and disables Windows recovery features.
• Persistence: Adds itself to the Startup directory and registry keys.
• Ransom Note: Deploys HTA ransom notes to coerce victims.

Why Older Malware Still Succeeds

Despite not being a new threat, Phobos and other old malware continue to infiltrate and cause damage. This persistence can be attributed to several factors, including: 

1. Signature-Based Malware Detection Limitations 
2. Heuristic and Behavioral-Based Anti-Malware 
3. Organizational Sprawl and Resulting Defense Gaps 
4. New Users and Systems 

1. Signature-Based Malware Detection Limitations 

Many organizations rely on signature-based malware detection. Threat actors with access to leaked binaries can manipulate the compiled code and alter its signature each time it is recompiled. This technique can bypass signature-based detection systems, which often find it challenging to adapt quickly to the constantly evolving signatures. 

2. Heuristic and Behavioral-Based Anti-Malware 

Although heuristic or behavior-based anti-malware systems offer improved efficacy, they are not without their limitations. Threat actors can circumvent heuristic analysis with tactics such as rearranging the order of code elements, employing diverse obfuscation techniques, and reconstructing malware into several distinct binaries. These methods effectively challenge the ability of heuristic evaluations to accurately identify and counteract malicious components. 

3. Organizational Sprawl and Resulting Defense Gaps 

Organizational sprawl, a byproduct of infrastructure expansion and frequent changes, is often compounded by the limited resources available to security teams. This leads to security professionals, particularly blue teams, being stretched thin, which increases the likelihood of overlooking potential security gaps. These gaps can result from inadequate configuration of new applications, users, or systems. Additionally, the continuous pressure to update infrastructure and deliver revenue-generating services can inadvertently lead to neglecting essential security updates and policy modifications.  

Furthermore, organizational sprawl intensifies with the growing dependence on third-party services. The integration of third-party appliances, each equipped with their unique configurations, applications, and defense mechanisms, demands rigorous security evaluations. Without such assessments, these additions can inadvertently introduce new attack surfaces into the existing infrastructure. This expansion not only complicates the security landscape but also amplifies the potential for vulnerabilities that adversaries could exploit. 

4. New Users and Systems 

Furthermore, organizational sprawl intensifies with the growing dependence on third-party services. The integration of third-party appliances, each equipped with their unique configurations, applications, and defense mechanisms, demands rigorous security evaluations. Without such assessments, these additions can inadvertently introduce new attack surfaces into the existing infrastructure. This expansion not only complicates the security landscape but also amplifies the potential for vulnerabilities that adversaries could exploit. 

The well-known potential impact of a breach on a business bottom-line – business interruption, loss of customer trust, mitigation costs, legal consequences ranging from fines to damages, etc. - are not the only ones anymore. More recent regulatory changes are looming and might lead to subsequent much heavier losses. 

No Renewal of Federal Contracts 

A failure to address and remediate vulnerabilities identified during attack surface scans can result in severe consequences, far exceeding the impact of monetary fines. For instance:

• Financial Penalties: While a $250,000 fine may seem negligible for a company with $5 billion in revenue, the repercussions don’t stop there.
• Regulatory Actions: If a breach is traced back to a vulnerability highlighted by CISA in an alert, organizations risk the non-renewal of federal contracts. This consequence can have far-reaching effects on revenue streams and market credibility.

Shoring up Defenses Against Reconditioned Attacks

Defending against modernized iterations of older malware requires a multifaceted approach aligned with the defense-in-depth principle. This involves implementing and maintaining multiple layers of security controls to counteract diverse attack vectors.

Key Strategies to Strengthen Defenses

1. Complement Signature-Based Detection with Behavioral Analytics and Heuristics

Behavioral analytics and heuristics enhance traditional detection methods, reducing false positives and increasing resilience against evolving threats. These layers add depth to defense mechanisms by identifying anomalies and suspicious behaviors that signature-based systems might miss.

2. Validate and Prioritize Exposures

Leverage exposure validation to emulate attacker behavior and validate whether exposed assets, vulnerabilities, and misconfigurations can be exploited—internally and externally. Exposure validation enables organizations to:

• Identify exploitable exposures across IT, OT, and hybrid environments
• Understand attack paths and how an attacker could traverse them
• Prioritize remediation efforts based on validated risk, not just theoretical vulnerabilities

3. Keep Security Controls Up to Date

Regular updates to firewalls, antivirus software, intrusion detection systems, and lateral movement prevention tools are essential to maintaining robust defenses. Frequent security control validation helps ensure that controls remain effective and capable of detecting and blocking modernized malware and evolving attack techniques.

4. Simulate Real-World Attacks with Breach and Attack Simulation (BAS)

BAS tools mimic real-world cyberattacks to assess the effectiveness of security controls and readiness against threats such as reconditioned malware.
Simulations provide actionable insights that enable security teams to:

• Identify gaps in detection and prevention controls
• Validate the organization’s resilience to malware across the kill chain
• Fine-tune defenses proactively based on validated results

The Importance of Validation

The continued success of older malware strains underscores the limitations of traditional detection methods. Incorporating dynamic approaches, such as behavioral analytics, exposure validation, security control validation, and BAS ensures that defenses remain adaptive and resilient.

Leverage Cymulate’s Solutions: Cymulate’s exposure validation, breach and attack simulation, and security control validation capabilities empower organizations to proactively identify and mitigate exposures, strengthening defenses and ensuring readiness against both modern and legacy threats.