What if one single malware strain could cut through any security that tried to stop it? In a new study of more than 550,000 live malware strains, the Picus Red Report 2023 has unveiled a trove of over 5 million malicious activities. In the report, researchers identified the top tactics utilized by cyber criminals in 2022.

Picus’ findings also highlighted the growing prevalence of “Swiss Army knife malware”. This type of malicious software is capable of executing a range of damaging acts throughout the entire cyber kill chain while remaining undetected by security measures.

Created by Lockheed Martin, the cyber kill chain is a comprehensive cybersecurity model charting the different phases of a cyberattack. It pinpoints weaknesses in the system and guides security teams in thwarting attacks at each stage of the chain to prevent successful infiltration.

The Picus report reveals some worrisome trends. But there are effective security solutions that can defeat even multi-purpose malware.

Not Just One Multi-Purpose Malware, But Many

Picus Labs’ analysis reveals the remarkable adaptability of modern malware. According to their research, a staggering one-third of the entire sample boasts over 20 unique tactics, techniques and procedures (TTPs). Modern malware can skillfully exploit authorized software, move laterally throughout systems and encrypt files. This is a remarkable level of sophistication.

According to Picus, the advanced level of malware development is likely due to the substantial resources of well-funded ransomware syndicates. The findings also point towards the development of innovative behavior-based detection methods employed by security defenders.

“Modern malware takes many forms,” said Dr. Suleyman Ozarslan, Picus Security Co-founder and VP of Picus Labs. “Some rudimentary types of malware are designed to perform basic functions. Others, like a surgeon’s scalpel, are engineered to conduct single tasks with great precision. Now we are seeing more malware that can do anything and everything. This ‘Swiss Army knife’ malware can enable attackers to move through networks undetected at great speed, obtain credentials to access critical systems and encrypt data.”

Malware More Dangerous and Versatile Than Ever

The Picus report reveals the growing severity of malware threats. Some key findings in the study include:

  • Multi-threat malware. The average malware can execute 11 TTPs. Nearly one-third of malware (32%) is capable of more than 20 TTPs. 10% have more than 30 TTPs.
  • Lateral movement is on the rise. Alongside common techniques of Command and Scripting Interpreter and OS Credential Dumping, cyber criminals are now exploiting new methods like Remote Services, Remote System Discovery and WMI to locate remote systems, execute commands on remote machines and procure account credentials.
  • Remote discovery and access abuse. New tactics exploit built-in tools and protocols within operating systems such as RDP, SSH, net, ping and WinRM. This enables attackers to collect information about targets, including Windows, Linux and macOS systems within a compromised network, then execute undetected lateral movement.
  • Credential dumping. As the second most prevalent technique observed, attackers acquire login and credential details from compromised machines. These can then be used to execute lateral movement, escalate privileges and gain access to restricted data. This underscores the inadequacy of traditional perimeter security measures to safeguard against attacks.
  • Legitimate tool abuse. Attackers prefer utilizing genuine tools rather than customized ones. Command and Scripting Interpreter entails misusing authentic interpreters like PowerShell, AppleScript and Unix shells to execute unauthorized commands. Other hijacked tools include utilities for Remote Services, OS Credential Dumping, System Information Discovery, WMI, Scheduled Task/Job and Remote System Discovery.

Command and Scripting Interpreter involves taking advantage of the capabilities of interpreters, which are programs designed to execute code written in a specific programming or scripting language. Since the interpreter executes the program instructions directly without the need for compilation, it makes it easier for attackers to run arbitrary code on a compromised system.

Anti-Malware Security Efforts

Security pros aren’t backing down from the challenge of Swiss Army knife malware and other threats. Picus makes several recommendations on how to combat highly malicious malware strains. Some actions to take include:

  • Testing: As attackers persistently create new attack and evasion methods, testing ensures that security measures can identify and prevent the most recent evasive attack tactics. By optimizing security controls, organizations can enhance their overall cyber defense readiness.
  • Behavioral detection: Security teams can effectively detect authentic tool abuse through behavioral detection techniques. These identify malicious activity based on deviations from typical behavior. Instead of attempting to identify and block known static Indicators of Compromise (IOCs), behavior detection enables teams to detect attacks that escape conventional security controls.
  • Attack path identification: Mapping out attack paths offers insight into how attackers move through a network. The goal is to pinpoint the cause of breaches and prioritize security gaps that require mitigation. Organizations can develop a comprehensive understanding of the steps involved in an attack, recognize vulnerable systems and data and implement appropriate security controls.
  • Operationalize MITRE ATT&CK: This approach provides a comprehensive understanding of TTPs used by attackers. It allows organizations to focus their defensive efforts, prioritize mitigation measures and enhance their ability to detect and prevent attacks. Moreover, operationalizing MITRE ATT&CK can facilitate better collaboration and information sharing among different teams within an organization.

SIEM Stops Advanced Malware Strains

Security Information and Event Management (SIEM) is an effective methodology that responds to a variety of security demands presented by highly sophisticated malware. For example, SIEM analytics monitors threat intelligence, and network and user behavior anomalies and prioritizes where immediate attention and remediation may be needed.

With SIEM implementation, attackers trigger multiple detection analytics as they move across the network or exhibit behavior change. SIEM can track each tactic and technique, facilitating attack path mapping. Even better, SIEM can correlate, track and identify related activities throughout a kill chain with a single high-fidelity case, which can be automatically prioritized.

Additionally, when it comes to integrating data, analyzing logs and prioritizing incidents, companies can reduce incidents detected tenfold with SIEM on board. Prioritization lessens the team’s workload by pinpointing the most dangerous threats.

Malware continues to advance in its capabilities and potential to wreak havoc. But security teams have the tools and know-how at their disposal to fight back.

More from News

Protecting Against Remote Monitoring and Management Phishing

3 min read - You use remote monitoring and management (RMM) software to closely monitor your cyber environment and keep your organization safe. But now cyber criminals are specifically targeting these tools, causing legitimate software to become a vulnerability. This is the latest type of attack in an increase in a recent trend of disruptive software supply chain attacks. The Cybersecurity and Infrastructure Security Agency (CISA) recently released an alert about the malicious use of legitimate remote monitoring and management (RMM) software. Last fall,…

3 min read

$10.3 Billion in Cyber Crime Losses Shatters Previous Totals

4 min read - The introduction of the most recent FBI Internet Crime Report says, “At the FBI, we know ‘cyber risk is business risk’ and ‘cybersecurity is national security.’” And the numbers in the report back up this statement. The FBI report details more than 800,000 cyber crime-related complaints filed in 2022. Meanwhile, total losses were over $10 billion, shattering 2021's total of $6.9 billion, according to the bureau’s Internet Crime Complaint Center (IC3). Top Five Cyber Crime Types In the past five…

4 min read

HHS Releases Hospital Cyber Resiliency Landscape Analysis

4 min read - On April 17, 2023, The U.S. Department of Health and Human Services (HHS) 405(d) Program announced the release of its Hospital Cyber Resiliency Initiative Landscape Analysis. This landmark analysis reports on domestic hospitals’ current state of cybersecurity preparedness. The scope of the HHS study was limited to activities that protect access to patient care and safety and reduce the negative impact of cyber threats on clinical operations. Breaches of sensitive data were considered only if the breach had a direct…

4 min read

Zombie APIs are a Top Security Concern as API Attacks Surge 400%

4 min read - Organizations of all sizes rely on application programming interfaces (APIs). The API explosion has been driven by several factors, including cloud computing, demand for mobile/web applications, microservices architecture and the API economy as a business model. APIs enable developers to access data remotely, integrate with other services, build modular applications and monetize their data/services. For enterprises that participated in a recent research study, the average number of APIs per organization was 15,564. Large enterprises (over 10,000 employees) had an average…

4 min read