valerybrozhinsky - stock.adobe.c

Multi-purpose malwares can use more than 20 MITRE ATT&CK TTPs

Report warns of the development of increasingly sophisticated, multi-purpose malwares, and calls on defenders to play close attention to the MITRE ATT&CK framework to ward them off

Malware developers are becoming increasingly adept at creating advanced, multi-purpose malwares that effectively serve as a “Swiss Army knife” for cyber criminals, with the ability to perform multiple malicious actions across attack chains – and, critically, evade detection by security controls.

This is according to a report produced by breach and attack simulation specialist Picus Security, which tasked its Picus Labs research unit to analyse a total of 556,107 unique files over the course of 2022, with 507,192 of them classified as malicious. These were drawn from commercial and open source threat intelligence services, other security suppliers and researchers, and malware sandboxes and databases.

This data was then used to extract a total of 5,388,946 actions – approximately 11 per file on average – and mapped them to MITRE ATT&CK techniques. This data was then crunched to reveal the number of malicious files that used an individual technique to uncover the percentage of malware that did so.

Based on this analysis, Picus has determined that about a third of malwares are capable of exhibiting more than 20 individual tactics, techniques and procedures (TTPs) as enumerated by the MITRE ATT&CK framework. The average malware leverages 11 TTPs, and approximately 10% averages over 30.

It believes the development of these “Swiss Army” malwares is being funded from the deep pockets of high-profile ransomware cartels that are reacting to advances in behaviour-based detection measures.

“Modern malware takes many forms,” said Suleyman Ozarslan, Picus Security co-founder and vice-president of Picus Labs. “Some rudimentary types of malware are designed to perform basic functions. Others, like a surgeon’s scalpel, are engineered to conduct single tasks with great precision.

“Now we are seeing more malware that can do anything and everything. This malware can enable attackers to move through networks undetected at great speed, obtain credentials to access critical systems, and encrypt data.”

“The goal of ransomware operators and nation-state actors alike is to achieve an objective as quickly and efficiently as possible,” he added.

“The fact that more malware can conduct lateral movement is a sign that adversaries of all types are being forced to adapt to differences in IT environments and work harder to get their payday,” said Ozarslan.

The most widely used MITRE ATT&CK TTPs as determined by Picus Labs clearly demonstrate the prevalence of ransomware. In order, they are as follows:

  • T1059 Command and Scripting Interpreter, found in 31% of samples. This is an execution technique that lets an adversary execute arbitrary commands, scripts and binaries to interact with systems, download payloads and tools, and disable security tools.
  • T1003 OS Credential Dumping, found in 25% of samples. This allows adversaries to dump credentials from operating systems and utilities to obtain account login details they can use to access other resources.
  • T1486 Data Encrypted for Impact, found in 23% of samples. Malicious use of encryption is the end-goal for every ransomware operator, and is increasingly used in destructive cyber attacks in which no financially-motivated extortion attempt is made.
  • T1055 Process Injection, found in 22% of samples. This common technique lets adversaries evade defences and escalate their privileges by injecting malicious code into legitimate processes.
  • T1082 System Information Discovery, found in 20% of samples. This technique simply enables adversaries to collect more data about the IT estate in which they are present, such as hardware components, applications and network configurations in use, and find vulnerabilities they can exploit.
  • T1021 Remote Services, found in 18% of samples. This technique refers to an adversary’s use  of remote services, mostly Windows Remote Desktop Protocol (RDP), Secure Shell (SSH), Server Message Block (SMB), etc, to move laterally and gain further access to remote systems.
  • T1047 Windows Management Instrumentation, found in 15% of samples. WMI, which manages data and operations on all Windows-based systems, is readily abused by adversaries to execute malicious commands and payloads on compromised hosts, and achieve local and remote access.
  • T1053 Scheduled Task/Job, found in 12% of samples. This technique can be used by adversaries to schedule and trigger various stages of a cyber attack.
  • T1497 Virtualisation/Sandbox evasion, found in 10% of samples. This technique is used to help malwares evade virtualisation and analysis environments by shutting down if it detects it is running in such an environment. This can make it harder for defenders, investigators and researchers to establish what is going on.
  • T1018 Remote System Discovery, found in 8% of samples. If an adversary can deploy this technique to discover remote hosts and networks, they can potentially open up a much wider threat surface to exploit and attack.

Taken together, it is easy to see how a malware that deploys the above-listed TTPs would be a serious threat.

Ozarslan recommended that in the face of these sophisticated multi-purpose malwares, security teams must begin to adapt to prioritise detection of the most commonly used TTPs, and to introduce continuous evaluation of their cyber controls.

“Organisations will [therefore] be much better prepared to defend critical assets. They will also be able to ensure that their attention and resources are focused in areas that will have the greatest impact.”

Read more about malware

Read more on Hackers and cybercrime prevention

Data Center
Data Management