• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Security Definitions
      • What is Secure Access Service Edge (SASE)
      • What is Security Service Edge (SSE)
      • What is a Cloud Access Security Broker (CASB)
      • Cyber Threat Categories and Definitions
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Threats

How trojan malware is evolving to survive and evade cybersecurity in 2021

Author avatar of Artsiom HolubAuthor avatar of Ken HowardArtsiom Holub and Ken Howard
January 26, 2021 • 5 minute read
View blog >

We have met the enemy and they is us. Pogo’s famous maxim applies directly to the threat of trojans in 2021.

Although they are some of the oldest forms of malware, and, in their commodity forms, are seen less often these days, trojans have proved to be durable and adaptable. They avoid detection, embed and intertwine themselves into routine computer operations, and generally have evolved to evade cybersecurity defenses.

In short, trojans are surviving and thriving by becoming part of the cyber furniture.

But that doesn’t mean they don’t have some mean tricks up their sleeves. In fact, trojans have acquired a second life as the workhorses of larger, multi-staged cyberattack chains.

Sample attack chain

We observed this transformation of trojans in The modern cybersecurity landscape: Scaling for threats in motion, published in November 2020. In that report, we cited Emotet and Ursnif/Gozi as examples of trojans that have evolved on to bigger and badder things. Some of the reasons why attackers reuse malware include:

  • Their “Swiss Army knife” abilities allow them to deploy follow-up malware in a Loader-as-a-Service model that does further damage down the cyberattack chain.
  • Their highly distributed command-and-control (C2) infrastructure makes takedown much harder to implement.

But there are more tricks that make these the workhorses of unauthorized hackers.

1. Like any productive software, malicious actors are continuously updating trojans using C2 infrastructure

Our first example, Taidoor, is a RAT connected to Chinese government actors as assessed by the United States Federal Bureau of Investigation (FBI) with high confidence. This is one of the oldest trojans still circulating. It first appeared in 2008.

The new version of the RAT consists of two parts: a loader in a DLL form, and a main RAT module that comes as RC4-encrypted binary data. The loader first decrypts the encrypted main RAT module, and then executes its exported start function. Malicious actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation.

We know that this RAT module has variants that trace back to 2011. A blog post published in September 2020 from Reversing Labs documents this and notes:

“(M)alware families require a lot of maintenance and improvement to achieve long-term operability. Even though such continuous upgrading helps malware avoid detection mechanisms, it also results in related malware versions.”

The bottom line is that a great deal of time and investment goes into malicious tools like this and the owners will go to great lengths over time to keep the investment viable.

2. Trojans go to great lengths to hide their tracks and avoid detection.

As antivirus, EDR/XDR, and sandbox capabilities proliferate, attackers are using more sophisticated forms of obfuscation and evasion techniques to protect the tools of their trade. One example we’ve seen recently is a new take on another old RAT, CRAT.

CRAT is a remote access trojan which consists of multiple RAT capabilities, additional plugins, and a variety of detection-evasion techniques. In the past, CRAT has been attributed to the Lazarus Group, the malicious threat actors behind multiple cyber campaigns, including attacks against the entertainment sector.

Apart from the prebuilt RAT capabilities, the malware uses obfuscation and extensive evasion techniques to hide its malicious indicators and employs a highly modular plugin framework to selectively infect targeted endpoints.

Most importantly, it deploys RAT malware to ransack the endpoint, followed by deployment of ransomware to either extort money or burn infrastructure of targeted entities. Over time, CRAT has acquired extensive capabilities through the use of a modular framework. These include screen capture plugins, clipboard monitor plugins, keylogger plugins, and ransomware.

As we mentioned, the CRAT makers have gone to lengths to hide the trojan’s actions. The RAT is highly obfuscated in terms of:

  • String Obfuscation: These are used to thwart string-based static malware detection signatures.
  • API Resolution: This makes analysis cumbersome for an analyst by hiding API call sequences.
  • Runtime Code Patching: This likely evades detection mechanisms that scan process memory to identify malicious strings and code.

Cisco Talos notes that: “The use of multiple obfuscations signifies the attacker’s confidence in selective obfuscation rather than the use of packers as a means of evasion. Many detection systems look for the presence of a packer using techniques such as entropy analysis, Import API analyses, etc. Selective obfuscation of code and strings prevents these systems from detecting the malware solely on the basis of the obfuscations.”

3. Trojans often make use of existing automation and standard internal processes to “blend into the wallpaper” and thereby persist undetected.

In The modern cybersecurity landscape: Scaling for threats in motion, we noted that fileless automation — Macros 4.0, VBA, or PowerShell, for instance — were often being used. Cyberattacks make use of legitimate software automation to hide and then reveal commands. We provided an example of a Macros 4.0 exploit that uses a Binary Interchangeable File Format (BIFF) to hide an embedded Microsoft Excel file.

Example macros 4.0 exploit

Here is an example that has shown up recently using other existing automation, Valak, an information stealer and malware loader. Valak relies on scheduled tasks and Windows registry updates to remain persistent on an infected Windows host. The trojan uses Alternate Data Stream (ADS) as a technique to run follow-up malware. The configuration scripts used during the infection process are obfuscated in an attempt to evade detection.

The use of ADS, in particular, represents a serious ongoing threat, as it can easily hide follow-up malware. Furthermore, Valak will likely continue to find easy entry points because of its targeted nature, rich modular architecture and fast development cycles.

4. Finally, trojans are really ramping up their hide-and-go-seek game through the use of steganography (a technique that embeds malicious code into image files).

CardinalRAT is a remote access Trojan (RAT) that has been active since 2015. The latest instance of Cardinal RAT employs obfuscation in the form of steganography; the initial sample is compiled with .NET and contains an embedded bitmap (BMP) file. Upon execution, the malware will read this file, parse out pixel data from the image, and decrypt the result. Cardinal RAT is able to collect system information, act as a reverse proxy, steal passwords, download and execute new files, and capture keystrokes and screenshots.

For more information on how steganography can operate in plain sight, check out Shyam Sundar Ramaswami’s excellent blog post, “Using entropy to spot the malware hiding in plain sight.”

Trojans have adapted and evolved over decades now. The capabilities and TTPs they have acquired make them highly useful and, therefore, quite formidable for cyber defenders. They will undoubtedly continue to surprise and challenge us. Never underestimate a well-built trojan.

The modern cybersecurity landscape



For more information about the various forms of trojans and how to stop them, check out The modern cybersecurity landscape: Scaling for threats in motion, and review our Interactive Intelligence capabilities.

Suggested Blogs

  • Cybersecurity Threat Spotlight: Emotet, RedLine Stealer, and Magnat Backdoor February 3, 2022 5 minute read
  • Using DNS-layer security to detect and prevent ransomware attacks August 12, 2021 6 minute read
  • The cost of ransomware attacks: Why and how you should protect your data August 10, 2021 4 minute read

Share this blog

FacebookTweetLinkedIn

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella