Sticky Blog

Modular Malware

  • 3 December 2020
  • 27 replies
Modular Malware
Userlevel 7
Badge +17

The world of malware, including the teams that build and orchestrate malware attacks, has been drastically changing over the past decade. One of the biggest changes that has occurred is the configurability and modularity of malware payloads. The Ransomware business model is a prime suspect in this development. The biggest ransomware attacks that take place nowadays are often orchestrated by different pieces of malware, all developed by different teams. It is less common to see a “one size fits all” form of malware anymore; instead, multiple malware payloads are utilized for each step of the process to eventually lock data behind a ransom demand.


There are a few main steps involved in dropping a ransomware payload on a computer network. In this article we are going to analyze each of those steps by describing how they are carried out, which piece of software is being used, and how all of the modular malware pieces fit into the larger puzzle of a ransomware attack. There are many configurations available for a modular malware attack, all with varying methods of infection, analysis of data, and the eventual dropping of a ransomware payload.


The ransomware variant that has pulled in the most ransom income (according to the FBI) is Ryuk, by quite a large margin. As you can see in this graph, a reported $61 million has been acquired via attacks that use the Ryuk software:



Keep in mind that the above graph is an estimation based on “reported” ransomware attacks. In reality, all of these numbers are likely higher. This is because most companies that get hit with ransomware prefer to sweep it under the rug whenever possible. Having your data compromised by ransomware is incredibly bad press. That being said, Ryuk still wins out in terms of ransom revenue generated by a huge amount compared to the rest of the variants.


Ryuk is a type of ransomware payload – dropping this on a network is the final stage of the process in orchestrating a ransomware attack. The first two stages are often carried out by other malware. To describe this modular process, I will focus on the malware variants commonly used with Ryuk: Emotet and Trickbot.



This is the first piece of the larger puzzle. The goal of infecting a machine with Emotet is to get a foothold within a computer network. It is the trojan horse piece of this larger puzzle. The primary way a computer becomes infected with Emotet is through a malicious Word document being emailed to and subsequently opened by an individual. Once the Word document is opened, the user gets a notification at the top of the document to click an “Enable Content” button:


As you can see in the above image, the current go-to method of tricking people is with fake COVID-related information

Clicking that button is the moment you are opening the gates to your computer. It is what allows a malicious script to run in the background of your computer and begin the process to move into the next stage of infection. That script code is incredibly simple and looks like this:


Webroot customers will be happy to know that we protect your computer incredibly well from all stages of infection.


Trickbot is the second puzzle piece to the larger project of infecting a network with Ransomware. Trickbot’s purpose is to move laterally within a computer network and create a backdoor for the criminal to analyze data and grab anything they can get: passwords, plain text documents, employee info, company income, etc. The criminals are analyzing everything they can to determine the value and types of data available on that network. Once the attacker has some password/credential data, they will attempt to gain access to any other part of that network.



As Trickbot spreads throughout a network, it is creating persistent and silent copies of itself in directories where it won’t be found. Once it has gathered enough credentials, the attacker can even choose to remote desktop into any of those machines. However, the remote desktop isn’t a necessary process. Most of the time, Trickbot’s main goal is to get access to the Domain Controller of a network. Once it has that kind of access, the attacker can bypass nearly every security protocol on the network.


At this stage of infection, they call the shots and control every aspect of that system. Antivirus can be turned off, backups deleted, and the ransomware payload (Conti/Ryuk) can be easily dragged and dropped onto every computer connected to this network.



Conti/Ryuk is the final piece of this malware puzzle. Once Emotet and Trickbot have done their jobs, analyzed the environment, and gained unfettered access, the ransomware payload is all but guaranteed. When Ryuk is dropped and activated across the computer network, there are two things occurring: all of the available data is encrypted, and a message appears with an explanation of what happened and a demand for a ransom payment is made. The ransom amount is often determined based on the size of the company/cashflow/etc. Ransom requests can range anywhere from $10k to millions of dollars, in cryptocurrency, depending on the size of the target. That ransom message will also include basic instructions on how to acquire cryptocurrency, the receiving crypto wallet address, and perhaps a contact e-mail to negotiate payment.


This is how modular malware works to infect computer systems around the world. What do you think? Do you have any predictions for how this method could evolve in the future? Has your company ever been infected by ransomware? Leave your comments/questions below!

27 replies

Userlevel 3
Badge +2

Our company had to investigate a ransomware attack about a year ago and they discovered that a networked PC was first exploited by Emotet. It really helps to understand the process by which an attacker plans and executes the attack. This information helps me understand which areas of the network were vulnerable and need to be better secured.

We recently had a very similar incident with one of our clients. Unfortunately, for our client, they have not rotated their offsite backup drives, and as such, had a massive data loss, which is never a good thing. Decent AV, as well as a proper 3-2-1 backup strategy, is absolutely so vital. SAT from Webroot is so crucial and has truly to be advocated by us to all our customers. 

Userlevel 3
Badge +2

You are absolutely correct, Martin.1. We have had clients over the past few years who lost data due to inadequate backups. In all cases they were hesitant to pay for the off-site backup service, or did not rotate the USB drives. It’s a hard pill to swallow when it happens. SAT training is the best tool for training users (the weakest link) not to click on malicious links or open malicious emails!

Userlevel 6
Badge +17

I have seen this method used to thwart hackers too. Many years ago, DirecTV was plagued by hackers who cracked their security and digital rights management rights system to allow people who followed the instructions to get free DirecTV. The number of people doing this started climbing. 

The brilliant engineers at DirecTV started making subtle changes to the smart card algorithms which required the hackers to release new updates to crack it again. DirecTV sped up the releases, making the hackers work faster and faster, with less time to fully understand all the “data” that was arriving as part of the new algorithms.. This went on until Super Bowl Sunday, shortly after the last crack release went out.

DirecTV remotely sent a directive to the Smart Card, which would only execute on hacked systems, to jump to a location in the middle of the data in all the updates. Which contained hidden code which executed a program that caused the bootleg smart card to get stuck in a tight loop, rendering it useless. 

Using small updates with what looked like perfectly benign data were actually just a small part of a bigger program that would be assembled over time. Not surprising that this method is the next attack vector. Small innocuous prices of code get assembled later to do damage. 


Userlevel 3
Badge +2

The attack starts with a email, so what’s the best way to avoid falling victim? Security Awareness Training! 

This really helps me understand where my network is vulnerable and need to be better secured.

Userlevel 2

Has anyone deployed the Security Awareness Training to their clients?  Any pointers?  Thanks!

Has anyone deployed the Security Awareness Training to their clients?  Any pointers?  Thanks!

We use KnowB4 for Phishing training (and it’s really fun tbh). It’s a controlled email test that you can customize, or have a scheduled template and send to whomever. In our case, we do internal testing and some clients. The reports are HILARIOUS (and really sad) when you see your supervisor on there. Great reminder tool. 

Userlevel 2

Thanks for the pointers AntiEmerej

Thanks for helping me understand a little bit more about Malware and how it can get access to either my personal computer or my work’s network. Definitely a very interesting read! 

Funny thing - we JUST had a phishing test this morning. I’ve gotten used to spotting the fake attacks likely due to mass practice. Always good to stay on top of things with active testing... even if it’s just a friendly reminder. 

This is really timely. The “Modular Malware” article is very well written. Having actual costs for each type identifies the severity of the problem to businesses. Then, the explanations of HOW the different modules work to collectively function describes the process simply for any business person rather than being focused on IT personnel.

Looking through the comments, this is timely for me personally as I am going to pitch Webroot Security Awareness Training to someone that is already familiar with KnowB4. Do you have any comments about how Webroot Training would be superior or outshine the KnowB4 product? I would rather get my client lead to use me rather than their KnowB4 vendor.

Userlevel 2

We plan on rolling out the Security Awareness Training next quarter.

A great read! It’s certainly a multi level approach that’s needed, endpoint protection, DNS filtering, hardware/UTM … and end user training! It all falls apart if the end user opens the door! 

Userlevel 2

What other, if/any,  endpoint protection agents are you running in tandem with  Webroot (ex: Malwarebytes)

I tend to investigate how viruses work as a hobby on the side, in a protected virtual environment of course. But even that’s not safe anymore as malware/viruses pick up on these things and spread through the network anyway.

It may be simple enough to remind someone to be vigilant but time and time again, I always have someone saying they’ve clicked a malicious link asking them to enter their Office 365 details on phishing pages, that’s becoming a more popular attack right now.

Userlevel 3
Badge +5

$144 million.  The threat isn’t going to disappear any time soon.

Even with a layered defense, emails still get through (usually in the form of an email from someone who fell for phishing elsewhere.)  I’ve been sending out emails a 2-3 times a month warning of different attempts that made it through.  This appears to be working as people are telling me about one so I can warn the others.  Haven’t had anyone phished since summer.  *crosses fingers*

Userlevel 1

Saw a few Emotet infections this year - now that I’ve seen this I better understand what we saw in terms of malware behaviour.

Mitigation measures and backup helped a great deal in ensuring there was no data loss and in each case infection was limited to a single endpoint, however the nuisance of the botnet trawling a mailbox and sending fabricated reply emails with it’s payload in one case resulted in us taking a mailbox offline in order to stem the flow of spam. 

Since a number of our customers work with each other we were able to see first hand just how important end user education is - those users who better understood what to look for readily identified the phishing attempts and emails with macro-loaded Word docs. Another factor was certainly the existing load on a users mailbox - those users who are already dealing with lots of newsletter/spam and just a sheer large volume of email are more likely in our experience to click into these emails in their haste to process their email. What we like to call mailbox hygiene is certainly more important for these users.

Great article and overall explanation. Having been a part of a company that dealt with multiple customers being infected I understand how troublesome this type of stuff can be. It is hard to guess what will come next, but one thing is for sure… it will be very creative. 

Really great breakdown of the infection process.


This highlights how important anti-phishing technology and user education is to preventing these attacks. If you prevent the phish, you prevent the virus.

All prevention starts with training end users to be more careful in clicking links in emails.  It is definitely worth investing in cyber security training!

Userlevel 3
Badge +3

It's becoming harder as the phishing nails become more sophisticated in presentation and targeted. A solid DNS strategy and execution control is vital.


Userlevel 4
Badge +3

Its very interesting understanding the attack vectors

I’m glad I’ve got software to help mitigate attacks. I cannot fathom securing all these attack vectors myself and perform all my other daily IT tasks.

Userlevel 7
Badge +17

And that’s a wrap on the 12 days of giving campaign! 

Thanks so much to everyone that took part in this campaign and left some valuable feedback! 

Hope everyone has a nice, safe holiday!