We already know the security industry witnessed several significant ransomware attacks in 2017. Some of these campaigns derived at least part of their success from recent developments among malware families more generally. These trends will no doubt continue to shape bad actors’ offensives and how defenders can hope to protect against them in 2018.
Digital security startup Minerva Labs has identified three trends in particular that emerged in 2017 and that will likely influence malware attacks into the coming year. These are as follows:
1. Evasive Techniques
Evasive techniques are nothing new among malware samples. Neither are malware campaigns driven by exploit kits. However, the two aren’t usually studied in relation to one another.
To rectify that issue, Minerva Labs decided to examine the extent to which exploit kit attacks in 2017 leveraged evasive techniques. Its researchers identified a total of 74 infection paths consisting of two stages, an exploit kit and a resulting payload. Of those infection paths identified, Minerva found that defenders 86% were evasive and could be prevented at the exploit kit. It arrived at approximately the same figure (eight-five percent) for those paths’ payloads.
In total, the digital security firm found that 99% of all infection paths were evasive in either exploit kits or their payloads, with three quarters leveraging evasion in both stages. The paths led to all kinds of payloads, with ransomware standing out. Most of those crypto-mlaware families detected by Minerva used at least one evasive technique. Close to half (forty-eight percent) relied on memory injection tactics. Meanwhile, other families used malicious Office files and environment tests at 28% and 24%, respectively.
2. Defenders’ Hope for Vaccination
Many malware families are designed to avoid infecting the same endpoint more than once. With that objective in mind, bad actors program their software to create an infection marker such as a registry key, file, or mutex object on a compromised asset. If the malware finds that marker on an endpoint, it will terminate without executing.
As confirmed by Minerva Labs, defenders can use those infection markers to “vaccinate” their endpoints against popular malware families. This strategy holds up against ransomware including Spora, which creates a mutex object dependent on the infected computer’s volume serial number, and even WannaCry, a family which researchers found could be stopped using security researcher Marcus Hutchins’ killswitch domain or a mutex called “MsWinZonesCacheCounterMutexA.” It also works with destructive software like NotPetya, a wiper which looks for a file called ” c:\windows\perfc.dat” before getting to work on a machine.
3. The Rise of Cryptomining Malware
2017 saw the proliferation of cryptomining malware, or malicious software which surreptitiously mines for Monero and other cryptocurrencies, for various reasons. Minerva Labs found that attackers have turned to these tools to attract comparatively less attention from law enforcement and anti-fraud professionals while enjoying a high level of anonymity and ease of cashing out illicit gains. Indeed, these factors led attackers to victimize 1.65 million users in the first nine months of 2017 with malware that consumed their machines’ CPU, drove up power consumption (and possibly cloud service payments), and in some cases accompanied other digital threats.
Some notable examples stand out:
- PhotoMiner spreads laterally on networks while collecting credentials for servers, trojanizing files stored on it, infecting users, collecting new information about pivoting servers, and on and on.
- SnatchLoader is a typical downloader that added a cryptomining module in 2017. It’s likely this malware will be the first of many to do so.
- CoinHive earned sixth place on Check Point’s 10 top malware for October 2017.
Organizations can defend against cryptomining malware by monitoring ports that are commonly associated with cryptomining traffic, monitoring for unknown processes consuming excessive CPU, and implementing anti-evasion measures on their endpoints.
Looking Ahead to 2018
Given the trends above, Minerva Labs thinks 2018 will be a busy year. That goes for defenders just as much as it does for attackers. As the security firm explains:
Enterprise defenders won’t stand still when faced with continually-evolving threats. They will continue to invest into additional methods for safeguarding critical IT components, be they internal servers and workstations, IoT devices or BYOD systems. In addition, incident response teams will look for ways to more actively combat malicious presence in the enterprise, going beyond the practice of merely identifying which systems might have been compromised. Such steps might entail misdirecting or slowing down adversaries and their tools. A related example might involve vaccinating systems against specific malware families, “persuading” malware that it’s already on the system to prevent the infection in the first place.
To learn how Tripwire’s solutions can help protect your organization against evolving malware families and other digital threats into 2017 and beyond, click here.