Malware, Vulnerability Management

Mirai, STRRAT and Emotet see resurgence in Q1 2022

(“Coding Javascript” by Christiaan Colen is licensed under CC BY-SA 2.0)

Nuspire, a leading managed security service provider (MSSP) on Tuesday found that several older botnets saw a resurgence in Q1, including Mirai, STRRAT, and Emotet, according to Nuspire’s Q1 2022 Threat Report.

Best-known for co-opting IoT devices to launch DDoS attacks, Mirai showed a spike in activity in February 2022. Nuspire said this corresponded with the discovery of Spring4Shell, a zero-day attack on the popular Java web application framework, Spring Core. The attack allows for unauthenticated remote code execution, and data show Mirai exploited this vulnerability to its botnet.

The report also found that Visual Basic Application (VBA) trojans continue to be the top malware variant, comprising nearly 30% of all malware variants. According to the report, its activity spiked just prior to Microsoft’s announcement of plans to block VBA macros by default on Office products.

Scripting languages such as VBA are notoriously hard for anti-virus or EDR engines to detect maliciousness, said John Bambenek, principal threat hunter at Netenrich. Bambenek said unlike compiled languages, pattern matching systems just fall short when it comes to scripting.

“Attackers, fully aware of this problem, are increasingly relying on this to get around our detections,” Bambenek said. “It’s not just VBA. PowerShell is used in almost all advanced attacks at some point in the attack lifecycle. Until we get better at detecting and correlating behaviors, attackers will keep using scripting to eat our lunch.”

On the resurgence of Mirai, Christopher Prewitt, chief technology officer at MRK Technologies, said sooner or later, "everything old is new again" — and it's Mirai's time.

“It's a tool, and much like a 30-year-old hammer can still sink a nail into wood, Mirai's codebase is good at both propagation and brute forcing, making it efficient for botnet operators,” Prewitt said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.