“Swiss Army knife” malware – multi-purpose malware that can perform malicious actions across the cyber-kill chain and evade detection by security controls – is on the rise, according to the results of Picus Security’s analysis of over 550,000 real-world malware samples gathered from commercial and open-source threat intelligence services, security vendors and researchers, and malware sandboxes and databases.
By observing the malware’s behavior, the company’s researchers extracted over 5 million malicious actions and used this data to identify the ten most common ATT&CK techniques leveraged by cybercriminals in 2022.
The list – starting with the most prevalent technique – includes:
- The use of command and scripting interpreters to run arbitrary code
- Dumping credentials from the compromised system’s operating system and utilities
- Data encryption
- The injection of malicious code into legitimate processes (DLL injection, thread execution hijacking, process hollowing, etc.)
- The collection of data about computer systems or networks (to facilitate lateral movement)
- The use of remote services (e.g., RDP, SSH, VNC, etc.) for access and control
- The abuse of Windows Management Instrumentation to execute malicious commands and payloads in compromised Windows hosts
- The use of scheduled tasks/jobs
- Anti-virtualization and anti-sandboxing capabilities
- The discovery of remote hosts and networks
The analysis has shown that:
- The average malware leverages 11 different tactics, techniques, and procedures (TTPs). One-third of malware (32%) leverages more than 20 TTPs, and one-tenth leverages more than 30 TTPs
- Command and Scripting Interpreter is the most prevalent ATT&CK technique, exhibited by nearly a third of malware samples. The appearance of Remote System Discovery and Remote Services in the company’s Red Report for the first time is further evidence of the extent to which malware can now abuse built-in tools and protocols in operating systems to evade detection
- Four out of 10 of the most prevalent ATT&CK techniques identified are used to aid lateral movement inside corporate networks
- A quarter of all malware is capable of encrypting data, highlighting the continued threat of ransomware.
The versatility of the latest malware is demonstrated by the fact that a third of the total sample analyzed by Picus Labs is capable of exhibiting more than 20 individual TTPs. Increasingly, malware can abuse legitimate software, perform lateral movement, and encrypt files. Its rising sophistication is likely driven by the extensive resources of well-funded ransomware syndicates and by advancements in behavior-based detection methods used by defenders.
Multi-purpose malware is the future
“Modern malware takes many forms,” said Dr. Suleyman Ozarslan, VP of Picus Labs. “Some rudimentary types of malware are designed to perform basic functions. Others, like a surgeon’s scalpel, are engineered to conduct single tasks with great precision. Now we are seeing more malware that can do anything and everything. This ‘Swiss Army knife’ malware can enable attackers to move through networks undetected at great speed, obtain credentials to access critical systems, and encrypt data.”
“The goal of ransomware operators and nation-state actors alike is to achieve an objective as quickly and efficiently as possible,” he continued. “The fact that more malware can conduct lateral movement is a sign that adversaries of all types are being forced to adapt to differences in IT environments and work harder to get their payday.”
“Faced with defending against increasingly sophisticated malware, security teams must also continue to evolve their approaches. By prioritizing commonly used attack techniques, and by continuously validating the effectiveness of security controls, organizations will be much better prepared to defend critical assets. They will also be able to ensure that their attention and resources are focused in areas that will have the greatest impact.”