Wouldn’t it be nice if life were like a movie where we had the rugged handsomeness of a neo-noir hero, it was easy to tell the good guys from the bad and malware announced itself as soon as it entered your network? Alas, cyberattacks don’t reveal themselves in blaring lines of identifiable code that ignite a room of perfectly coifed forensics analysts into action. Well, the last part is true with enough money and enough concern, but the first part is sheer Hollywood fiction.

Crippling malcode now lies in wait: a dormant dweller that you’ll never be able to identify without smart (not well-coifed) IT professionals and analytic algorithms that expect the unexpected. Remember the “Blade Runner” Replicants of the far-off future, with androids becoming more than machine? It was an android so sophisticated that Harrison Ford’s Decker could only see behind the veil by breaking down the very root of the being’s logic and semblance of awareness with a sophisticated bio-response lie detector. Malware is smart, and it’s getting Replicant-smarter every day.

But you can be a Decker in days with the right endpoint protection.

We’ve Seen Things You Wouldn’t Believe

The security researchers at IBM X-Force have seen a multitude of malware samples. With 270 million monitored endpoints sending in data, that’s a lot of malcode to wade through. Although there are many variants, advanced persistent threats (APTs) share some common traits.

Successful malware is highly evasive. It can remain stealthy on the machine for long periods of time until certain criteria are met, using sophisticated techniques to bypass detection. It is not engineered to stroll into a noodle bar and announce itself in Cityspeak; rather, it sidles into the network through vectors such as sophisticated phishing or social engineering schemes. For advanced malware that is massively distributed, the threats are even greater: Off-the-shelf malware campaigns can be purchased by attackers with a comprehensive menu of functions and repurposable config files.

These new capabilities use a mix of techniques that can include keystroke logging, RAM scraping, browser hooking to get one-time passwords (OTPs), man-in-the-browser capabilities, dynamic webinjection, persistent rootkits and even virtual network computing (VNC) to launch a connection to the target site from an infected machine. These APT kits are made to be reusable and adaptable to the target environment.

The Voight-Kampff for Advanced Malware

Since real-life malcode doesn’t announce itself with distinguishing red lettering on your screen like in the movies, you have to watch for more subtle signs, or the equivalent of bio-response micro-tells. Here are a couple things to watch for to indicate if you’ve been infected on an endpoint:

  • Sluggish performance: Even with no resource-heavy applications running, random system crashes or constantly churning CPUs can be a sign of infection. If you also hear the CPU fan running at full speed for sustained periods as soon as the computer is booted, it is another indication of potential compromise.
  • Unexpected email activity: Perhaps your emails are being received or sent erratically, you are hearing from colleagues that they received emails from you that you did not send or you are getting out-of-office notices for emails you did not send. It’s possible your email password was stolen or your system was infiltrated.
  • Strange windows or messages: If programs are starting or stopping without your intervention, you’re getting notification pop-ups like a sea of billboards in a dystopian future, new programs are attempting to access the Internet or you open a PDF and it instantly disappears, you could be infected with malcode.
  • Sudden endpoint protection disablement: Advanced malware will often disable traditional antivirus protection to save itself from certain death. If you notice your antivirus or endpoint protection is suddenly disabled, this is most certainly a sign of trouble.

Do Hackers Dream of Electric Sheep?

Recently, the security researchers at IBM Security X-Force have discovered several particularly potent malware samples in the wild, including the Tinba Trojan and new variants of Dyre. The creators of this type of malcode work together in an ecosystem, collaborating on penetration and evasion strategies to maximize their investment in the code creation. Their best hope is to lull the target system into a sense of complacency — to be the virtual wolf in electric sheep’s clothing, waiting for the right time to expand and gather sensitive data.

Although potentially highly entertaining, the “Hollywood O/S” does not exist. Clumsy malware does not last long in the wild, and we are left to fight insidious malcode that snakes through networks and hides itself in plain sight like a Nexus-6 replicant. There is no four-year expiration date on this code either, as it continues to be reinvented, reinvigorated and rebuilt to attack more and better targets.

Advanced malware protection solutions can help stop exploits by focusing on and stopping the behavior of malware. By blocking malicious communication channels between the malware and the attacker, stopping anomalous activity caused by exploits and protecting credentials against reuse or submission on phishing sites, these solutions can help stop attackers from stealing your data.

To learn more about advanced malware protection, watch this video from IBM Security Trusteer Apex — flying cars sold separately.

More from Endpoint

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

3 Reasons to Make EDR Part of Your Incident Response Plan

As threat actors grow in number, the frequency of attacks witnessed globally will continue to rise exponentially. The numerous cases headlining the news today demonstrate that no organization is immune from the risks of a breach. What is an Incident Response Plan? Incident response (IR) refers to an organization’s approach, processes and technologies to detect and respond to cyber breaches. An IR plan specifies how cyberattacks should be identified, contained and remediated. It enables organizations to act quickly and effectively…

Deploying Security Automation to Your Endpoints

Globally, data is growing at an exponential rate. Due to factors like information explosion and the rising interconnectivity of endpoints, data growth will only become a more pressing issue. This enormous influx of data will invariably affect security teams. Faced with an enormous amount of data to sift through, analysts are feeling the crunch. Subsequently, alert fatigue is already a problem for analysts overwhelmed with security tasks. With the continued shortage of qualified staff, organizations are looking for automation to…

Threat Management and Unified Endpoint Management

The worst of the pandemic may be behind us, but we continue to be impacted by it. School-aged kids are trying to catch up academically and socially after two years of disruption. Air travel is a mess. And all businesses have seen a spike in cyberattacks. Cyber threats increased by 81% while COVID-19 was at its peak, with 79% of all organizations experiencing a loss of business operations during that time. The risk of cyberattacks increased so much that the…