May 17, 2023 By Jonathan Reed 4 min read

What if one single malware strain could cut through any security that tried to stop it? In a new study of more than 550,000 live malware strains, the Picus Red Report 2023 has unveiled a trove of over 5 million malicious activities. In the report, researchers identified the top tactics utilized by cyber criminals in 2022.

Picus’ findings also highlighted the growing prevalence of “Swiss Army knife malware”. This type of malicious software is capable of executing a range of damaging acts throughout the entire cyber kill chain while remaining undetected by security measures.

Created by Lockheed Martin, the cyber kill chain is a comprehensive cybersecurity model charting the different phases of a cyberattack. It pinpoints weaknesses in the system and guides security teams in thwarting attacks at each stage of the chain to prevent successful infiltration.

The Picus report reveals some worrisome trends. But there are effective security solutions that can defeat even multi-purpose malware.

Not just one multi-purpose malware, but many

Picus Labs’ analysis reveals the remarkable adaptability of modern malware. According to their research, a staggering one-third of the entire sample boasts over 20 unique tactics, techniques and procedures (TTPs). Modern malware can skillfully exploit authorized software, move laterally throughout systems and encrypt files. This is a remarkable level of sophistication.

According to Picus, the advanced level of malware development is likely due to the substantial resources of well-funded ransomware syndicates. The findings also point towards the development of innovative behavior-based detection methods employed by security defenders.

“Modern malware takes many forms,” said Dr. Suleyman Ozarslan, Picus Security Co-founder and VP of Picus Labs. “Some rudimentary types of malware are designed to perform basic functions. Others, like a surgeon’s scalpel, are engineered to conduct single tasks with great precision. Now we are seeing more malware that can do anything and everything. This ‘Swiss Army knife’ malware can enable attackers to move through networks undetected at great speed, obtain credentials to access critical systems and encrypt data.”

Malware more dangerous and versatile than ever

The Picus report reveals the growing severity of malware threats. Some key findings in the study include:

  • Multi-threat malware. The average malware can execute 11 TTPs. Nearly one-third of malware (32%) is capable of more than 20 TTPs. 10% have more than 30 TTPs.
  • Lateral movement is on the rise. Alongside common techniques of Command and Scripting Interpreter and OS Credential Dumping, cyber criminals are now exploiting new methods like Remote Services, Remote System Discovery and WMI to locate remote systems, execute commands on remote machines and procure account credentials.
  • Remote discovery and access abuse. New tactics exploit built-in tools and protocols within operating systems such as RDP, SSH, net, ping and WinRM. This enables attackers to collect information about targets, including Windows, Linux and macOS systems within a compromised network, then execute undetected lateral movement.
  • Credential dumping. As the second most prevalent technique observed, attackers acquire login and credential details from compromised machines. These can then be used to execute lateral movement, escalate privileges and gain access to restricted data. This underscores the inadequacy of traditional perimeter security measures to safeguard against attacks.
  • Legitimate tool abuse. Attackers prefer utilizing genuine tools rather than customized ones. Command and Scripting Interpreter entails misusing authentic interpreters like PowerShell, AppleScript and Unix shells to execute unauthorized commands. Other hijacked tools include utilities for Remote Services, OS Credential Dumping, System Information Discovery, WMI, Scheduled Task/Job and Remote System Discovery.

Command and Scripting Interpreter involves taking advantage of the capabilities of interpreters, which are programs designed to execute code written in a specific programming or scripting language. Since the interpreter executes the program instructions directly without the need for compilation, it makes it easier for attackers to run arbitrary code on a compromised system.

Anti-malware security efforts

Security pros aren’t backing down from the challenge of Swiss Army knife malware and other threats. Picus makes several recommendations on how to combat highly malicious malware strains. Some actions to take include:

  • Testing: As attackers persistently create new attack and evasion methods, testing ensures that security measures can identify and prevent the most recent evasive attack tactics. By optimizing security controls, organizations can enhance their overall cyber defense readiness.
  • Behavioral detection: Security teams can effectively detect authentic tool abuse through behavioral detection techniques. These identify malicious activity based on deviations from typical behavior. Instead of attempting to identify and block known static Indicators of Compromise (IOCs), behavior detection enables teams to detect attacks that escape conventional security controls.
  • Attack path identification: Mapping out attack paths offers insight into how attackers move through a network. The goal is to pinpoint the cause of breaches and prioritize security gaps that require mitigation. Organizations can develop a comprehensive understanding of the steps involved in an attack, recognize vulnerable systems and data and implement appropriate security controls.
  • Operationalize MITRE ATT&CK: This approach provides a comprehensive understanding of TTPs used by attackers. It allows organizations to focus their defensive efforts, prioritize mitigation measures and enhance their ability to detect and prevent attacks. Moreover, operationalizing MITRE ATT&CK can facilitate better collaboration and information sharing among different teams within an organization.

SIEM stops advanced malware strains

Security Information and Event Management (SIEM) is an effective methodology that responds to a variety of security demands presented by highly sophisticated malware. For example, SIEM analytics monitors threat intelligence, and network and user behavior anomalies and prioritizes where immediate attention and remediation may be needed.

With SIEM implementation, attackers trigger multiple detection analytics as they move across the network or exhibit behavior change. SIEM can track each tactic and technique, facilitating attack path mapping. Even better, SIEM can correlate, track and identify related activities throughout a kill chain with a single high-fidelity case, which can be automatically prioritized.

Additionally, when it comes to integrating data, analyzing logs and prioritizing incidents, companies can reduce incidents detected tenfold with SIEM on board. Prioritization lessens the team’s workload by pinpointing the most dangerous threats.

Malware continues to advance in its capabilities and potential to wreak havoc. But security teams have the tools and know-how at their disposal to fight back.

More from News

What is the Open-Source Software Security Initiative (OS3I)?

3 min read - The Open-Source Software Security Initiative (OS3I) recently released Securing the Open-Source Software Ecosystem report, which details the members’ current priorities and recommended cybersecurity solutions. The accompanying fact sheet also provides the highlights of the report. The OS3I includes both federal departments and agencies working together to deliver policy solutions to secure and defend the ecosystem. The new initiative is part of the overall National Cybersecurity Strategy. After the Log4Shell vulnerability in 2021, the Biden-Harris administration committed to improving the security…

Europe’s Cyber Resilience Act: Redefining open source

3 min read - Amid an increasingly complex threat landscape, we find ourselves at a crossroads where law, technology and community converge. As such, cyber resilience is more crucial than ever. At its heart, cyber resilience means maintaining a robust security posture despite adverse cyber events and being able to anticipate, withstand, recover from and adapt to such incidents. While new data privacy and protection regulations like GDPR, HIPAA and CCPA are being introduced more frequently than ever, did you know that there is new…

Feds release urgent guidance for U.S. water sector

3 min read - The water and wastewater sector (WWS) faces cybersecurity challenges that leave it wide open to attacks. In response, the CISA, EPA and FBI recently released joint guidance to the sector, citing variable cyber maturity levels and potential cybersecurity solutions. The new Incident Response Guide (IRG) provides the water sector with information about the federal roles, resources and responsibilities for each stage of the cyber incident response lifecycle. Sector owners and operators can use this information to augment their incident response…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today