Botnets continue to be one of the most prevalent and dangerous forms of malware organizations contend with. That’s in part because botnets tend to target devices that can’t be patched or updated and yet fill a critical function inside an organization. For example, industrial IoT devices can be responsible for monitoring and managing critical systems — like a thermostat on a massive boiler or a valve or switch in an energy plant — that, if compromised, can impact the lives and safety of individuals. Likewise, medical IoT devices, such as scanners, pumps or monitors, can cause serious harm to patients if tampered with.
Even less critical deployments of IoT devices, such as a smart TV or connected thermostat, can result in significant harm if compromised. As IoT devices share information with other devices, they can be a gateway for malware. They also gather essential or sensitive data which, if compromised, could severely impact the reputation of an organization.
For the past year, Fortinet’s quarterly Threat Landscape Report has created and monitored a Threat Landscape Index that tracks malware, exploits and botnets. In Q2 2019, not only did the overall score for the Threat Landscape Index increase 4%, but the botnet tracking index reached an annual high.
One of the more interesting botnets to rise to the top of the list this quarter is Zegost, a malware bot capable of downloading and executing additional malware, receiving commands from and relaying data back to a control server, updating or deleting itself, stealing login and password information, logging keystrokes, participating in DDoS attacks, and even locking and encrypting the contents of a computer and demanding payment for its safe return.
Known to also operate under the alias of Zusy or Kris, Zegost is primarily an infostealer that has been active since 2011, though it has seen a large number of updates during the intervening years that have greatly improved its capabilities. This includes such things as being able to use specific PowerShell functions to download its infostealer malware to a victim’s machine the moment his mouse moves over a particular piece of text. It can also clear its own event logs, giving the infostealer long-term evasion capabilities and granting it more time to move laterally across a victim’s network.
One recent update went so far as to enable it to use COM programming, an uncommon feature in malware. And like other infostealers, since the main objective of Zegost is to gather information about a victim’s device and exfiltrate it, its most recent incarnation has the ability to access and record from a victim’s webcam.
It can also hunt for OS versions, analyze the speed and quantity of processors in a victim’s machine, check for an internet connection and look for the remote desktop protocol port number. Zegost also hunts for a login number for QQ, which is a Chinese chat client — a feature that corresponds with its Chinese origin.
One of the most significant upgrades appearing in a number of malware variants during Q2 of 2019 is the increased ability to disable security and evade detection. Zegost is no exception. Compared to other infostealer malware, Zegost is uniquely configured to stay under the radar, making it far more of a long-term threat compared to its contemporaries. It accomplishes this by clearing its own event logs, as well as evading runtime conflicts by creating a mutex, which it checks to ensure only a single version of itself is running. Another recent development in Zegost’s evasion capabilities is a command that can keep the infostealer “in stasis” until a specific date, after which it begins its infection routine, allowing it to load itself onto a vulnerable device and then remain there undetected until some trigger, such as an internal timer, brings it back to life. It can also avoid detection by launching processes in a window that can also be hidden.
Addressing the challenge of complex IoT botnets
Zegost represents a new generation of multifunctional botnets that are capable of a variety of attacks, infiltration techniques, and antidetection and evasion strategies. Defending against Zegost and similar threats can be challenging, requiring a full arsenal of security mechanisms working together as a single, integrated system.
These security functions need to include the following:
- Patch what you can, replace what’s become obsolete and deploy close proximity controls for everything else.
- Implement advanced behavioral analysis combined with network access control to detect unusual behavior in your IoT traffic.
- Put network access control in place and ensure every IoT device is identified, inventoried and tracked.
- Establish dynamic network segmentation to confine IoT traffic from the moment it attaches to the network, thereby restricting malware to a subset of the larger network’s attack surface.
- Integrate security tools that can collect, aggregate and correlate threat events from multiple sources or locations through a single management and orchestration console so complex threats can bubble up to the surface and be addressed.
- Use advanced threat intelligence to increase your ability to detect new threats in your network based on real-time updates.
- Rely on advanced technologies, such as automation, machine learning and AI, to respond to new threats at digital speeds before they cause serious harm.
As IoT device deployment increases, along with our reliance on the data and services IoT devices provide, we must commit to staying ahead of the rapid development of malware designed to exploit that attack vector. Cybercriminals will not only continue to develop new threats aimed at IoT, but those threats will continue to grow in sophistication and capabilities over time, requiring more integration, cohesion and efficiency between traditionally distributed and isolated solutions.
By following the steps outlined above, organizations stand a much better chance at mitigating such threats and enabling their digital transformation efforts to grow as they address today’s new digital marketplace.
Read more from the “Q2 2019 Threat Landscape Report.”