Security researchers have warned that a growing number of versatile malware variants are capable of performing multiple malicious actions across the cyber-kill chain.
Picus Security compiled its Red Report 2023 by analyzing over 500,000 malware samples last year, identifying their tactics, techniques and procedures (TTPs) and extracting over 5.3 million “actions.”
The vendor then mapped these actions to MITRE ATT&CK techniques.
The report revealed that the average malware variant now leverages 11 TTPs or nine MITRE ATT&CK techniques. One third (32%) uses more than 20 TTPs, and one in 10 leverages over 30 TTPs, according to the report.
“Modern malware takes many forms. Some rudimentary types of malware are designed to perform basic functions. Others, like a surgeon’s scalpel, are engineered to conduct single tasks with great precision,” explained Picus Security co-founder, Suleyman Ozarslan.
“Now we are seeing more malware that can do anything and everything. This ‘Swiss Army knife’ malware can enable attackers to move through networks undetected at great speed, obtain credentials to access critical systems and encrypt data.”
Highlighting the focus for many threat actors today, Picus found that 40% of the most prevalent MITRE ATT&CK techniques it identified were used to help with lateral movement.
These included tried-and-tested techniques such as Command and Scripting Interpreter and OS Credential Dumping, and newer ones such as Remote Services, Remote System Discovery and WMI.
The most common technique in the report’s top 10 list was Command and Scripting Interpreter, which involves the abuse of legitimate interpreters such as PowerShell, AppleScript and Unix shells to execute arbitrary commands. This highlights how hackers favor legitimate existing tools in their attacks, rather than custom-developed ones, Picus said.
Second on the list was OS Credential Dumping, which attackers use to hijack accounts and move laterally. Third came Data Encrypted for Impact, which reveals the continued threat posed by ransomware.
“The goal of ransomware operators and nation-state actors alike is to achieve an objective as quickly and efficiently as possible. The fact that more malware can conduct lateral movement is a sign that adversaries of all types are being forced to adapt to differences in IT environments and work harder to get their payday,” said Ozarslan.
“Faced with defending against increasingly sophisticated malware, security teams must also continue to evolve their approaches. By prioritizing commonly used attack techniques, and by continuously validating the effectiveness of security controls, organizations will be much better prepared to defend critical assets.”