1. Home
    2. »
  2. Blog
    3. »
  3. Other
    4. » The Evolution of Malware Infection Chains: Analysis of Multiplication and Complexity Over the Years

The Evolution of Malware Infection Chains: Analysis of Multiplication and Complexity Over the Years

- Posted in Other by - Permalink
The Evolution of Malware Infection Chains: Analysis of Multiplication and Complexity Over the Years

Background: In a perfect scenario, before malware is executed on a victim's machine, it must go through several stages and specialists. First, a core malware function writer develops its primary functionality. Then, it is passed to a specialist who encrypts or obfuscates its functionality. After that, another specialist ensures that the malware can exploit the operating system, allowing the obfuscated malware to execute on the target machine. Finally, the last stage involves specialists responsible for spreading the malware.

The initial execution paths of malware have evolved over time, becoming far more complex than we could have imagined 4–5 years ago. At a high level, we can define the initial exploitation chains into two stages: (1) Decoy execution and (2) Built-in component execution, where malware abuses operating system components.

(1) Decoy component - LNK, CVE, PDF, DOC/X, HTA, JS, SCR, REG, BAT, XLS/X, EXE, RDP, DLL/EXE, CMD, SH, MSI, ONE, PPTX (2) Built-in component execution - Explorer.exe, Softwares which support extension, mshta.exe, wscript/cscript.exe , regedit.exe, mstsc.exe, msiexec.exe, Rundll32.exe, cmd/powershell

The challenge lies in the fact that previously, malware typically leveraged only one component from each group (e.g., one decoy component and one built-in component). However, modern malware has evolved to utilize multiple components simultaneously. For example:

  • Decoy Components: Malware can now use 2 or more decoy components (e.g., a combination of LNK and PDF files) to deceive users or security systems.
  • Built-in Components: During execution, malware can leverage 4 or more built-in components (e.g., cmd.exe, wscript.exe, mshta.exe, and regedit.exe) to carry out its malicious activities

This increased complexity makes detection and mitigation more challenging, as malware can now exploit a wider range of legitimate system components and decoy files to evade security measures.

For example there had been observed malware type which leveraged noted chains PDF > LINK > LNK > REG > CMD > PS > Wscript > SCRIPT > DLL > Rundll32 enter image description here With this, it is becoming more difficult to analyze malware in a scaled system, which requires a fresh review of the processes involved in alert triaging. To resolve this, in my opinion, one of the best approaches is to restrict some core components that can break the execution chain, based on the intended purpose and the user of the endpoint. For example, if the specialist is from finance or management, file execution like REG or PS may not be necessary.

Conclusion: It has become necessary to periodically review the current threat attack landscape and update your hardening model to effectively prevent harmful file execution.

Stay Saf3 ! Joker !

Tags:

Related posts

« »