Understanding the tactics of stealthy hunter-killer malware

Picus Security has revealed a rise in hunter-killer malware, highlighting a significant shift in adversaries’ capability to pinpoint and thwart advanced enterprise defenses, including next-gen firewalls, antivirus programs, and EDR systems.

There was a 333% increase in malware that can actively target defensive systems in an attempt to disable them.

The identification of hunter-killer malware

Drawing parallels from the stealthy and offensive nature of hunter-killer submarines, these malware strains evade security measures with precision and proactively seek out and impair security tools, firewalls, logging services, audit systems, and other protective measures within an infected system. Thus, hunter-killer malware is characterized not by mere evasion but by its targeted attacks on defensive systems, analogous to a submarine’s pre-emptive strike, disabling the defenses before an alert can be sounded. In doing so, they clear a path for continuous exploitation and control of the compromised environment.

The identification of hunter-killer malware represents a considerable escalation in cyber threats. These sophisticated malware execute comprehensive attack campaigns by blending covert operations with aggressive assaults on security controls – posing a high-level challenge to organizational cyber defense efforts.

“We are witnessing a surge in ultra-evasive, highly aggressive malware which shares the characteristics of hunter-killer submarines,” said Dr. Suleyman Ozarslan, VP of Picus Labs.

“Just as these subs move silently through deep waters and launch devastating attacks to defeat their targets’ defenses, new malware is designed to not only evade security tools but actively bring them down. We believe cybercriminals are changing tact in response to the security of average businesses being much-improved, and widely used tools offering far more advanced capabilities to detect threats. A year ago, it was relatively rare for adversaries to disable security controls. Now, this behavior is seen in a quarter of malware samples and is used by virtually every ransomware group and APT group,” Ozarslan continued.

Evolving tactics challenge detection and response

To ensure cyber defenses are theoretically robust and practically effective, security teams must embrace security validation to consistently test and optimize their readiness to prevent, detect, and respond to these sophisticated threats. In addition, by employing behavioral analysis and machine learning, security teams can better position defenses to anticipate and neutralize the hunter-killer components of modern threats.

70% of malware analyzed now employ stealth-oriented techniques by attackers, particularly those that facilitate evading security measures and maintaining persistence in networks. Nearly one-third of all analyzed malware can inject malicious code into legitimate processes, allowing adversaries to avoid detection while potentially gaining elevated privileges.

There was a 150% increase in the use of T1027 Obfuscated Files or Information. This highlights a trend toward hindering the effectiveness of security solutions and obfuscating malicious activities to complicate the detection of attacks, forensic analysis, and incident response efforts.

Staying ahead of 2024 malware trends

There was a 176% increase in the use of T1071 Application Layer Protocol, which are being strategically deployed for data exfiltration as part of sophisticated double extortion schemes.

To combat hunter-killer malware and stay ahead of 2024 malware trends, Picus is urging organizations to embrace machine learning, protect user credentials, and consistently validate their defenses against the latest tactics and techniques used by cybercriminals.

“It can be incredibly difficult to detect if an attack has disabled or reconfigured security tools, because they may still appear to be working as expected,” said Huseyin Can Yuceel, Security Research Lead at Picus Security.

“Preventing attacks that would otherwise operate under the radar requires the use of multiple security controls with a defense-in-depth approach. Security validation must be a starting point for organizations to better understand their readiness and identify gaps. Unless an organization is proactively simulating attacks to assess the response of its EDR, XDR, SIEM, and other defensive systems that may be weakened or eliminated by hunter-killer malware, they will not know they are down until it is too late,” Yuceel concluded.