Specialised hunter-killer malware that is able to identify and disable key cyber security tools such as next-generation firewalls, antivirus software, and endpoint detection and response (EDR) solutions saw a fourfold surge in volume during 2023, demonstrating a dramatic shift in threat actors’ ability to neutralise enterprise defences.
This is according to Picus Security’s latest annual Picus red report, which analysed more than 600,000 malicious samples observed during the period, and mapped an average of 11 techniques per malware to over seven million Mitre ATT&CK techniques.
“We are witnessing a surge in ultra-evasive, highly aggressive malware which shares the characteristics of hunter-killer submarines,” said Suleyman Ozarslan, Picus Security co-founder and vice-president of the firm’s research unit Picus Labs, which compiled the report data.
“Just as these subs move silently through deep waters and launch devastating attacks to defeat their targets’ defences, new malware is designed to not only evade security tools but actively bring them down. We believe cyber criminals are changing tack in response to the security of average businesses being much-improved, and widely used tools offering far more advanced capabilities to detect threats.
“A year ago, it was relatively rare for adversaries to disable security controls. Now, this behaviour is seen in a quarter of malware samples and is used by virtually every ransomware group and APT group,” said Ozarslan.
Suleyman Ozarslan, Picus Security
The use of hunter-killer malware represents a Mitre ATT&CK technique tracked as T1562 Impair Defences, and the dramatic growth in its use made it the third most observed Mitre technique in 2023.
Picus said the growth was further nuanced by repurposing cyber security utilities as malicious tools. For example, in 2023, the LockBit ransomware crew turned Kaspersky’s TDSSKiller anti-rootkit utility into a weapon to kill endpoint security software – including Microsoft Defender.
The surge in hunter-killer malware is part of a wider trend of threat actors optimising their chances of successful attacks by evading their victims’ cyber defences – 70% of malware analysed for the report now employs stealth techniques to evade detection and establish and maintain persistence. Picus observed a doubling in the use of obfuscated files or information, designed to hinder the effectiveness of security tools and evade detection, incident response and subsequent forensic analysis.
“It can be incredibly difficult to detect if an attack has disabled or reconfigured security tools because they may still appear to be working as expected,” said Huseyin Can Yuceel, security research lead at Picus Security.
“Preventing attacks that would otherwise operate under the radar requires the use of multiple security controls with a defence-in-depth approach. Security validation must be a starting point for organisations to better understand their readiness and identify gaps.
“Unless an organisation is proactively simulating attacks to assess the response of its EDR, XDR [extended detection and response], SIEM [security information and event management], and other defensive systems that may be weakened or eliminated by hunter-killer malware, they will not know they are down until it is too late,” said Yuceel.
The 10 most commonly observed Mitre ATT&CK tactics, techniques and procedures (TTPs) seen in the Picus data are as follows:
- T1055 Process Injection – used to enhance a threat actor’s ability to remain undetected and potentially elevate their privileges by injecting malicious code into a legitimate process, thus masking what is really happening.
- T1059 Command and Scripting Interpreter – used to execute commands, scripts and binary files on the victim system, enabling threat actors to interact with the compromised system, retrieve more payloads and tools, or bypass defensive measures.
- T1562 Impair Defences – the use of hunter-killer malware as detailed.
- T1082 System Information Discovery – used to glean data on the compromised system, such as operating system version, kernel ID and potential vulnerabilities, by taking advantage of built-in tools.
- T1486 Data Encrypted for Impact – used by ransomware lockers and data wipers.
- T1003 OS Credential Dumping – used to obtain account logins and credentials to access other resources and systems in the victim environment.
- T1071 Application Layer Protocol – used to manipulate standard network protocols, which enables attackers to infiltrate systems and steal data by blending into normal network traffic.
- T1547 Boot or Logon Autostart Execution – used to configure system settings to automatically run programs when systems start up or users log on, with the aim of maintaining control or escalating privileges.
- T1047 Windows Management Instrumentation (WMI) – used to execute malicious commands and payloads on compromised Windows hosts by exploiting the WMI data and operations management tool.
- T1027 Obfuscated Files or Information – used to obscure the contents of a malicious file or executable in transit by encrypting, encoding or compressing it.
Ozarslan said that to combat hunter-killer malware, and keep out in front of some of the other TTPs that are set to continue to be well-used in 2024, organisations needed to do more to validate their defences against the Mitre ATT&CK framework and embrace the use of machine learning as an assistant if necessary.
The full report, which includes a wealth of detail on the most commonly observed Mitre ATT&CK techniques, can be downloaded from Picus Security here.