A blended threat is a type of malware whose functionality combines those of various malware types, such as worms, Trojans, and backdoors, to breach and take over a target network effectively. Its infection chain is usually triggered by an event, such as a website visit. From there, a victim is redirected to a malicious site. Once on it, the victim is tricked into downloading the blended threat through a clever social engineering ploy. Downloading the file installs the malware on the victim’s computer, and the infection starts.
Blended threats were borne out of threat actors’ need to evade detection and remediation. Using a malware with a single capability prevents it from achieving its goal.
Read More about a “Blended Threat”
What Qualities Make a Blended Threat?
Blended threats are typically characterized by the following:
They can propagate via different methods.
Users of blended threats typically start by scanning a target network for exploitable vulnerabilities. The means employed include uploading a HyperText Markup Language (HTML) code to the victim’s server, diverting the victim to a compromised website, or sending the victim a malware-laced email attachment.
They can attack from multiple points.
Blended threats often inject malicious code into an executable (.exe) file stored on a target computer. In some cases, these files upgrade the privilege level access of a guest account, allowing their users to do whatever they want on a network. Typical payloads include creating a world-read and writable network shares, adding scripts to HTML files, and making several registry changes.
They can spread without human intervention.
It is common practice to include worm capabilities into blended threats so they can spread without human intervention.
They can exploit a vulnerability.
Blended threats are also known for taking advantage of server weaknesses, such as default passwords, to gain unauthorized administrative access.
What Are Famous Examples of Blended Threats?
Some examples of blended threats include:
Code Red is a computer worm first seen on 15 July 2001. It affected computers running Microsoft Internet Information Services (IIS), making it the first large-scale blended threat targeting enterprise networks.
Code Red’s creators began by defacing targets’ websites. The worm then copied itself on other connected systems to spread. Infected networks suffered from a denial-of-service (DoS) attack. After performing this final payload, the work goes into hibernation.
Nimda, like Code Red, is essentially also a computer worm. The malware allegedly originated from China. First released on 18 September 2001, it affected workstations running Windows 95, 98, NT, and 2000/XP, along with Windows NT and 2000 servers.
Nimda was considered a blended threat due to its use of five different infection vectors. It spread through opening emails, connecting to infected network shares, browsing malicious websites, exploiting various IIS vulnerabilities, and back doors left open by Code Red.
Interestingly, its name came from reversing the spelling of “admin.”
Bugbear is another computer worm that spread through a multipronged attack on targets. It first spreads via an email with an attachment that is 50,688 bytes long. If unsuccessful, it it then distributed through network shares.
Once a system is infected, Bugbear runs and adds itself to a system subdirectory in a Windows folder. It then adds itself to the Startup folder. It also has Trojan capabilities, allowing it to terminate firewalls and antimalware.
Blended threats have now become the norm. They can cause expensive and destructive harm because they can trigger multiple attacks. It should thus become part of any computer user’s security measures to use antimalware capable of detecting and preventing them from infecting a system. Patching vulnerabilities can also help mitigate blended threats.