May 17, 2023 By Jonathan Reed 4 min read

What if one single malware strain could cut through any security that tried to stop it? In a new study of more than 550,000 live malware strains, the Picus Red Report 2023 has unveiled a trove of over 5 million malicious activities. In the report, researchers identified the top tactics utilized by cyber criminals in 2022.

Picus’ findings also highlighted the growing prevalence of “Swiss Army knife malware”. This type of malicious software is capable of executing a range of damaging acts throughout the entire cyber kill chain while remaining undetected by security measures.

Created by Lockheed Martin, the cyber kill chain is a comprehensive cybersecurity model charting the different phases of a cyberattack. It pinpoints weaknesses in the system and guides security teams in thwarting attacks at each stage of the chain to prevent successful infiltration.

The Picus report reveals some worrisome trends. But there are effective security solutions that can defeat even multi-purpose malware.

Not just one multi-purpose malware, but many

Picus Labs’ analysis reveals the remarkable adaptability of modern malware. According to their research, a staggering one-third of the entire sample boasts over 20 unique tactics, techniques and procedures (TTPs). Modern malware can skillfully exploit authorized software, move laterally throughout systems and encrypt files. This is a remarkable level of sophistication.

According to Picus, the advanced level of malware development is likely due to the substantial resources of well-funded ransomware syndicates. The findings also point towards the development of innovative behavior-based detection methods employed by security defenders.

“Modern malware takes many forms,” said Dr. Suleyman Ozarslan, Picus Security Co-founder and VP of Picus Labs. “Some rudimentary types of malware are designed to perform basic functions. Others, like a surgeon’s scalpel, are engineered to conduct single tasks with great precision. Now we are seeing more malware that can do anything and everything. This ‘Swiss Army knife’ malware can enable attackers to move through networks undetected at great speed, obtain credentials to access critical systems and encrypt data.”

Malware more dangerous and versatile than ever

The Picus report reveals the growing severity of malware threats. Some key findings in the study include:

  • Multi-threat malware. The average malware can execute 11 TTPs. Nearly one-third of malware (32%) is capable of more than 20 TTPs. 10% have more than 30 TTPs.
  • Lateral movement is on the rise. Alongside common techniques of Command and Scripting Interpreter and OS Credential Dumping, cyber criminals are now exploiting new methods like Remote Services, Remote System Discovery and WMI to locate remote systems, execute commands on remote machines and procure account credentials.
  • Remote discovery and access abuse. New tactics exploit built-in tools and protocols within operating systems such as RDP, SSH, net, ping and WinRM. This enables attackers to collect information about targets, including Windows, Linux and macOS systems within a compromised network, then execute undetected lateral movement.
  • Credential dumping. As the second most prevalent technique observed, attackers acquire login and credential details from compromised machines. These can then be used to execute lateral movement, escalate privileges and gain access to restricted data. This underscores the inadequacy of traditional perimeter security measures to safeguard against attacks.
  • Legitimate tool abuse. Attackers prefer utilizing genuine tools rather than customized ones. Command and Scripting Interpreter entails misusing authentic interpreters like PowerShell, AppleScript and Unix shells to execute unauthorized commands. Other hijacked tools include utilities for Remote Services, OS Credential Dumping, System Information Discovery, WMI, Scheduled Task/Job and Remote System Discovery.

Command and Scripting Interpreter involves taking advantage of the capabilities of interpreters, which are programs designed to execute code written in a specific programming or scripting language. Since the interpreter executes the program instructions directly without the need for compilation, it makes it easier for attackers to run arbitrary code on a compromised system.

Anti-malware security efforts

Security pros aren’t backing down from the challenge of Swiss Army knife malware and other threats. Picus makes several recommendations on how to combat highly malicious malware strains. Some actions to take include:

  • Testing: As attackers persistently create new attack and evasion methods, testing ensures that security measures can identify and prevent the most recent evasive attack tactics. By optimizing security controls, organizations can enhance their overall cyber defense readiness.
  • Behavioral detection: Security teams can effectively detect authentic tool abuse through behavioral detection techniques. These identify malicious activity based on deviations from typical behavior. Instead of attempting to identify and block known static Indicators of Compromise (IOCs), behavior detection enables teams to detect attacks that escape conventional security controls.
  • Attack path identification: Mapping out attack paths offers insight into how attackers move through a network. The goal is to pinpoint the cause of breaches and prioritize security gaps that require mitigation. Organizations can develop a comprehensive understanding of the steps involved in an attack, recognize vulnerable systems and data and implement appropriate security controls.
  • Operationalize MITRE ATT&CK: This approach provides a comprehensive understanding of TTPs used by attackers. It allows organizations to focus their defensive efforts, prioritize mitigation measures and enhance their ability to detect and prevent attacks. Moreover, operationalizing MITRE ATT&CK can facilitate better collaboration and information sharing among different teams within an organization.

SIEM stops advanced malware strains

Security Information and Event Management (SIEM) is an effective methodology that responds to a variety of security demands presented by highly sophisticated malware. For example, SIEM analytics monitors threat intelligence, and network and user behavior anomalies and prioritizes where immediate attention and remediation may be needed.

With SIEM implementation, attackers trigger multiple detection analytics as they move across the network or exhibit behavior change. SIEM can track each tactic and technique, facilitating attack path mapping. Even better, SIEM can correlate, track and identify related activities throughout a kill chain with a single high-fidelity case, which can be automatically prioritized.

Additionally, when it comes to integrating data, analyzing logs and prioritizing incidents, companies can reduce incidents detected tenfold with SIEM on board. Prioritization lessens the team’s workload by pinpointing the most dangerous threats.

Malware continues to advance in its capabilities and potential to wreak havoc. But security teams have the tools and know-how at their disposal to fight back.

More from News

Regulatory harmonization in OT-critical infrastructure faces hurdles

3 min read - In an effort to enhance cyber resilience across critical infrastructure, the Office of the National Cyber Director (ONCD) has recently released a summary of feedback from its 2023 Cybersecurity Regulatory Harmonization Request for Information (RFI). The responses reveal major concerns from critical infrastructure industries related to operational technology (OT), such as energy, transport and manufacturing. Their worries include the current fragmented regulatory landscape and difficulty adapting to new cyber regulations. The frustration appears to be unanimous. Meanwhile, the magnitude of…

Why the Christie’s auction house hack is different

3 min read - Christie's, one of the world's leading auction houses, was hacked in May, and the cyber group RansomHub has claimed responsibility. On May 12, Christie’s CEO Guillaume Cerutti announced on LinkedIn that the company had “experienced a technology security incident.” RansomHub threatened to leak “sensitive personal information” from exfiltrated ID document data, including names, dates of birth and nationalities. On the group’s dark website, RansomHub claims to possess 2GB of data on “at least 500,000” Christie’s clients from around the world.…

Should there be a total ban on ransomware payments?

3 min read - The debate about the United States government banning companies from making ransomware payments is back in the headlines. Recently, the Ransomware Task Force for the Institute for Security and Technology released a memo on the topic. The task force stated that making a ban on ransomware payments in the U.S. at the current time will worsen the harm to victims, society and the economy. Additionally, small businesses cannot withstand a lengthy business disruption and might go out of business after…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today