Malware designed to seek out and disable enterprise security defenses has surged in popularity over the past year to comprise nearly a quarter (26%) of all detections in 2023, according to Picus Security.
The cybersecurity vendor revealed the news in its Picus Red Report 2024, compiled from analysis of 612,080 malicious files last year, to which it mapped over seven million MITRE ATT&CK techniques.
The so-called “hunter-killer” malware it highlighted in the report is named after “ultra-evasive” submarines which covertly seek out their targets, according to Picus Security co-founder, Suleyman Ozarslan.
“Just as these subs move silently through deep waters and launch devastating attacks to defeat their targets’ defenses, new malware is designed to not only evade security tools but actively bring them down,” he claimed.
“We believe cybercriminals are changing tack in response to the security of average businesses being much improved, and widely used tools offering far more advanced capabilities to detect threats. A year ago, it was relatively rare for adversaries to disable security controls. Now, this behavior is … used by virtually every ransomware group, APT and nation-state.”
The malware category, which surged in volume by 333% from 2022 to 2023, can be linked to three main MITRE ATT&CK techniques:
- Process Injection (T1055), which is about covertly embedding malicious activities in legitimate processes to evade detection tools
- Command and Scripting Interpreter (T1059), which sees attackers disguising their activity as normal system operations
- Impair Defenses (T1562), which is an offensive capability in which threat actors directly target and disrupt the tools meant to protect networks
“This evolution is further nuanced by repurposing cybersecurity utilities as instruments of aggressive attacks,” the report continued.
“In 2023, the LockBit ransomware group abused Kaspersky’s TDSSKiller anti-rootkit utility, Earth Longzhi exploited Zemana Antimalware’s driver, and the AuKill malware abused Microsoft’s Process Explorer to disable endpoint defenses like Windows Defender and other AV and EDR solutions.”
Defenders Must Be Proactive
Overall, 70% of malware analyzed now employs stealth-oriented techniques by attackers, according to the report.
It also revealed a 150% annual increase in the use of “T1027 Obfuscated Files or Information,” whereby hackers try to hide malicious activity to make detection of attacks, forensic analysis and incident response harder for network defenders.
Read more about incident response: Why Businesses Ignore Incident Response at Their Peril
Huseyin Can Yuceel, security research lead at Picus Security, argued that it can be extremely difficult to stop hunter-killer malware, as security tools may appear to be working as expected, even if an attack has actually disabled or reconfigured them.
“Preventing attacks that would otherwise operate under the radar requires the use of multiple security controls with a defense-in-depth approach. Security validation must be a starting point for organizations to better understand their readiness and identify gaps,” he explained.
“Unless an organization is proactively simulating attacks to assess the response of its EDR, XDR, SIEM, and other defensive systems that may be weakened or eliminated by hunter-killer malware, they will not know they are down until it is too late.”