Adaptable ‘Swiss Army Knife’ Malware a Growing Threat

There is a worrying rise in multipurpose malware, which can perform a variety of malicious actions and is adept at evasion, lateral movement and data encryption.

These were among the findings of a report from Picus, a security company specializing in simulating the attacks of cybercriminal gangs, which analyzed more than 550,000 real-world malware samples.

The versatility of so-called ‘Swiss Army knife’ malware means it can adapt its behavior in response to different IT environments and security controls.

“The polymorphic nature of the latest malware means that many of the strains analyzed as part of the report would be hard to detect using static indicators of compromise alone,” explained Picus co-founder Dr. Suleyman Ozarslan.    

He explained that last year there was a significant spike in malware capable of performing techniques designed to aid lateral movement.

The survey also found the average malware leverages 11 tactics, techniques and procedures (TTPs). Roughly a third (32%) of malware leverages more than 20 TTPs and a tenth leverages more than 30 TTPs.

Meanwhile, techniques such as credential dumping help attackers perform enumeration and harvesting activities in organizations’ networks, enabling them to compromise user accounts and systems to reach their objectives.

“Upon obtaining initial access to an organization’s network, attackers will typically target high-value assets such as an Active Directory,” Ozarslan said. “Lateral movement techniques help them to reach their goals and increase the impact of their attacks.”

The sophistication of some of these lateral movement techniques demonstrated the effect that organized crime and nation-state groups have on the overall threat landscape.

“Only highly resourced and highly skilled attackers are capable of developing some of the techniques now widely in use,” he cautioned.

Mike Parkin, senior technical engineer at Vulcan Cyber, agreed that modern malware is more sophisticated, more tenacious and more difficult to detect and remove than it was in the past.

“Honestly, it comes as no surprise and is not even new,” he said, noting that a couple decades ago, botnets made up of infected computers on Internet Relay Chat (IRC) were multifunctional and could be used as file servers, malware hubs, DDoS tools and spam relays.

“The details have changed over the years, and bot herders don’t use IRC for command and control anymore, but the capability has only improved,” he said.

Parkin noted it’s hard to manage risk without having a solid understanding of the environment and the threat surfaces in which it presents.

“Cybersecurity leaders need to understand what’s in their space so they can know what needs to be protected before they focus on how to protect it,” he said.

Phil Neray, vice president of cyber defense strategy at CardinalOps, said from his perspective, it’s not surprising that adversaries are investing time and resources to develop sophisticated, Swiss Army knife-style frameworks rather than point solutions.

He pointed to the MITRE ATT&CK framework, which describes the multiple steps executed by adversaries to compromise an organization—gaining initial access, elevating privileges, moving laterally, and encrypting data with ransomware—so multipurpose malware is more effective because it can execute multiple stages of this complex kill chain.

“Organizations should protect themselves by measuring their detective posture versus these various adversary behaviors, so they can continuously identify coverage gaps and eliminate them based on the adversary techniques and APTs most relevant to their environments and business priorities,” he advised.

Parkin said it’s difficult to predict where the back and forth between malware authors and cybersecurity professionals will go at any given time.

“We’re apt to see more versatile malware toolkits, but we’re also likely to see, or, what’s more worrisome, miss, small, lightweight, focused malware that serves very specific functions,” he said. “It also seems like we will see threat actors leveraging more machine learning techniques both in their initial attack vectors and in their development of evasive malware.”

He added that IT security professionals need to do a better job of deploying and maintaining applications following industry best practices and making sure their users are trained to be part of the solution rather than the main attack surface.

Ozarslan said to evade defenders, malware will continue to increase in complexity and capacity. This means that the trends we see today are likely to continue.

“To be proactive, a continuous approach to validation is now needed,” he said. “Manual, periodic security testing doesn’t enable security teams to identify and respond to modern threats quickly enough.”

He add that security teams are routinely overworked and under-resourced.

“They need solutions to both alleviate and help prioritize their workload so that they can focus their attention on defending against the attack techniques that will best impact their overall cybersecurity resilience,” Ozarslan said.

Image Source: Photo by Denise Jans on Unsplash 

Nathan Eddy

Nathan Eddy is a Berlin-based filmmaker and freelance journalist specializing in enterprise IT and security issues, health care IT and architecture.

nathan-eddy has 300 posts and counting.See all posts by nathan-eddy