77% of rootkits are used for espionage purposes

In a new report, Positive Technologies analyzes this past decade’s most infamous families of rootkits – programs that hide the presence of malicious software or traces of intrusion in victim systems.

The study finds that the majority of rootkits are used by APT groups or financially motivated criminals whose payouts exceed the costs, the most commonly targeted are government and research institutes, and 77% of rootkits are used by cybercriminals for espionage purposes.

Rootkits are not the most common type of malware. Rootkit detections tend to be associated with high-profile attacks having high-impact consequences—often these tools form part of multifunctional malware that intercepts network traffic, spies on users, steals login credentials, or hijacks resources to carry out DDoS attacks. The most famous application of a rootkit in an attack was the Stuxnet campaign, which targeted Iran’s nuclear program.

Cybercriminals mostly using rootkits to attack government agencies

Positive Technologies carried out a large-scale study of rootkits used by hacker groups over the past decade, starting in 2011. The results show that in 44% of cases, cybercriminals used rootkits to attack government agencies. Slightly less frequently (38%), rootkits were used to attack research institutes. Experts link the choice of targets to the main motive of rootkit distributors: Data harvesting.

The information handled by government and research organizations is of great value to cybercriminals. According to the study, the top 5 industries most attacked by rootkits also include telecommunications (25%), manufacturing (19%), and financial institutions (19%). In addition, 56% are used by hackers to attack individuals. These are mainly targeted attacks as part of cyberespionage campaigns against high-ranking officials, diplomats, and employees of victim organizations.

“Rootkits, especially ones that operate in kernel mode, are very difficult to develop, so they are deployed either by sophisticated APT groups that have the skills to develop these tools, or by groups with the financial means to buy rootkits on the gray market,” explains Yana Yurakova, a security analyst at Positive Technologies.

“Attackers of this caliber are mainly focused on cyberespionage and data harvesting. They can be either financially motivated criminals looking to steal large sums of money, or groups mining information and damaging the victim’s infrastructure on behalf of a paymaster.”

In 77% of cases, the rootkit families under investigation were used to harvest data, 31% were motivated by financial gain, and just 15% of attacks sought to exploit the victim company’s infrastructure to carry out subsequent attacks.

The study also finds that dark web forums are dominated by ads selling user-level rootkits, which are commonly used in mass attacks. According to the report, the cost of an off-the-shelf rootkit ranges from $45,000 to $100,000, depending on the operating mode, target Operating System, terms of use (for example, time limits on how long the malware can be rented), and additional features—remote access and concealment of files, processes, and network activity are the most commonly requested.

Developers offering to customize the rootkit for the buyer’s needs

In some cases, developers offer to customize the rootkit for the buyer’s needs and provide support. 67% of ads stated that the rootkit should be “tailored” for Windows. This correlates with the results of the study: Rootkits crafted for Windows systems in the sample group analyzed accounted for the lion’s share (69%).

“Despite the difficulties of developing such programs, every year we see the emergence of new versions of rootkits with a different operating mechanism to that of known malware,” said Alexey Vishnyakov, Head of Malware Detection at the Positive Technologies Expert Security Center (PT ESC).

“This indicates that cybercriminals are still developing tools to disguise malicious activity and coming up with new techniques for bypassing security—a new version of Windows appears, and malware developers immediately create rootkits for it. We expect rootkits to carry on being used by well-organized APT groups, which means it’s no longer just about compromising data and extracting financial gain, but about concealing complex targeted attacks that can entail unacceptable consequences for organizations—from disabling critical infrastructure, such as nuclear power stations, thermal power plants, and power grids, to anthropogenic accidents and disasters at industrial enterprises, and political espionage.”

Researchers believe rootkits will continue to be developed and used by cybercriminals, and in fact, PT ESC specialists have identified the emergence of new versions of rootkits, indicating that attackers continue to invent new techniques to bypass protection.

A criminal’s advantages for using rootkits – executing code in privileged mode, being able to hide from security tools, and remaining online for long periods of time – are too important for attackers to reject these tools.

The main danger of rootkits will continue to be the concealment of complex, targeted attacks until the point of an actual assault or set of events causing damage for the target organization.