Every day, new malware is developed by hackers and eventually discovered by cybersecurity researchers. Over the years, the biggest threats have shifted, and some malware variants have gone dormant as security measures spread and profit is found elsewhere. Some variants, such as LockBit, have endured for many years, evolving new strains to meet the needs of their criminal clients. Others, such as SamSam (one of the first ransomware variants to spread throughout networks instead of infecting single computers), fade into obscurity for one reason or another; in the case of SamSam, the criminal indictment of its developers was enough to put an end to the attacks.
Occasionally, malware variants which have gone dormant reappear later on in a new campaign, often using new traits and forms, which emphasizes the importance of up-to-date threat analysis within cybersecurity systems. One example of this kind of malware is Emotet, a banking trojan which is often spread through phishing emails and is used to deliver other malware payloads. Most recently, it has been instrumental in enabling ransomware campaigns, but in the past it was known for delivering Office documents and spreadsheets with malicious macros that installed malware. While similar Emotet malware and behavior is used in each campaign, their tactics have shifted many times since their first attacks in 2014. They are well-known for taking long breaks between campaigns and reappearing months later with new tactics and more sophisticated malware payloads– their resurgences continue to catch companies off-guard with their huge waves of malspam.
By keeping a sharp eye on the current active and dormant malware variants, security policies can be adjusted to protect companies from current threats without overlooking variants experiencing dormant periods. Many threat intelligence sources specialize in the Indicators of Compromise (IoCs) of specific malware variants, and indicators of dormant variants remain valuable since they may suddenly return on the same infrastructure, or other variants may begin to reuse their ‘bad’ infrastructure. Understanding and prioritizing the most timely and potentially-damaging threats is necessary, but it is also important to be sufficiently prepared for dormant variant revivals.
While this sounds like a strenuous and complicated endeavor, ThreatSTOP can help facilitate this process. ThreatSTOP’s in-depth intelligence analysis and research has been leveraged to create policy bundles for both dormant and active malware variants. The analysts’ thorough understanding of the current threat landscape ensures that these bundles stay up-to-date with the most recent threat intelligence as collected and received from trusted partners. As a result, customers can now choose an automatically-updating bundle of the currently active malware targets rather than manually selecting malware variants to add to their policies. The dormant bundle has also been made available to ensure protection from re-emerging threats and the reuse of previously malicious infrastructure by new variants. We hope to save our customers time, research, and worry, while ensuring their policies are effectively and comprehensively structured to protect against threats of the past, present, and future.
ThreatSTOP users can add the following bundles to protect their network from prevalent malware variants: Active Malware – IPs, Active Malware – Domains.
For users who want to add another layer of protection, the Dormant Malware bundles block re-emerging threats should they restart their malicious activity.
Not a ThreatSTOP customer yet? Feel free to explore our website to get to know our solutions, or click below to see ThreatSTOP in action.