A malware tactic dubbed ‘hunter-killer’ is growing, based on an analysis of more than 600,000 malware samples. This may become the standard approach for advanced attacks.
There has been a notable rise in a malware tactic dubbed ‘hunter-killer’ malware. The name comes from modern submarine warfare: submarines remain hidden until they strike. The use of hunter-killer malware grew over 2023, and it is expected to continue growing.
“We are witnessing a surge in ultra-evasive, highly aggressive malware which shares the characteristics of hunter-killer submarines,” said Dr. Suleyman Ozarslan, Picus Security co-founder, and VP of Picus Labs. He is talking about malware that evades detection and disables cybersecurity defenses.
The submarine analogy could be taken further. The UK’s Vanguard submarines are designed to deliver a nuclear payload against the enemy. In the Picus analogy, this would be the delivery of a malware payload — such as ransomware. It is not, however, a part of the Picus hunter-killer malware definition.
The conclusions reached in the report, The Rise of Hunter-Killer Malware, are drawn from an analysis of the top ten most prevalent MITRE ATT&CK techniques. These are not necessarily the top ten in absolute numbers since Picus concentrates on post-compromise techniques (phishing, initial access, reconnaissance, for example, are not included).
Furthermore, while Picus analyzed 600,000 malware samples during 2023 (and mapped an average of 13 malicious activities per sample to the ATT@CK framework), it notes that this is only a subset of the overall malware landscape. “This limitation may introduce a bias in the visibility of malware types and behaviors,” the researchers warns.
Despite this, the firm’s conclusions are stark and clear. The top four most used techniques are all aspects of hunter-killer malware — and the use of each increased dramatically during 2023. The top four are T1055 (process injection); T1059 (command and scripting interpreter); T1562 (impair defenses); and T1082 (system information discovery). The ‘Vanguard’ element of the submarine analogy appears at #5, T1486 (data encrypted for impact) and #7, T1071 (application layer protocol).
The implication is obvious — there is increased use of evasion and defense impairment prior to dropping the malware payload.
T1055. Process injection is a key element of ‘living off the land’ evasion: the insertion of malicious code into a legitimate process. The primary use for the attacker is defense evasion (stealth) and privilege escalation. It was present in 32% (195,044) of the malware samples, up from 22% in 2022 (a 45% increase).
T1059. The command and scripting interpreter technique provides a similar effect. It allows the attacker to disguise malicious activity using native tools (such as PowerShell, VBScript, Unix Shell, AppleScript and more) and again sidestep traditional defenses. It was found in 174,118 (28%) of the 600,000 samples.
T1562. The impair defenses technique is used to disrupt defenses – it is effectively the more aggressive ‘killer’ side of evasion. The report includes several examples. The BabLock ransomware uses Windows Events Command Line Utility to remove certain Windows event logs; LockBit amends the Registry for the same effect. Qubitstrike exploits HISTCONTROL to prevent its own malicious commands from being recorded in the command history list. Other malwares may alter firewall rules: Glupteba RAT adds a firewall rule allowing incoming connections to its executable.
The defense evasion ATT@CK technique was found in 158,661 malware samples (26%). This is a 333% increase over the previous year. It marks, say the researchers, a significant shift in cyberattack strategies. “Threat actors are transforming malware into proactive ‘hunter-killers’ of cybersecurity defenses, directly targeting and disrupting the tools meant to protect networks.”
T1082. System information discovery is used to gather information about the network, including hardware, software, and network configurations. It can be used to locate systems known to be exploitable, or it can be used to discover software suitable to be used for more persistent, stealthy residence. “System Information Discovery rose from fifth to fourth place, indicating its growing importance in the successful use of native OS tools for discreet information gathering,” notes the report. The technique was found in 143,795 of the malware samples (23%).
The fifth and seventh most prevalent techniques help to explain the growth in the first four. #5 is T1486 (data encrypted for impact), and #7 is T1071 (application layer protocol). The former is an integral part of ransomware, so its prevalence is unsurprising. The incidence of wipers (encryption with no decryption capability) also increased over the last two years, often associated with the Russia/Ukraine war.
The latter is T1071 (application layer protocol) which is used for data exfiltration. Picus connects data exfiltration and encryption with the growing incidence of double extortion ransomware, citing BlackCat/AlphV against NCR and Henry Schein, Cl0p targeting the US Department of Energy, Royal breaching the City of Dallas, LockBit’s assaults on Boeing, CDW, and MCNA, and Scattered Spider infiltrating MGM Resorts and Caesars Entertainment as examples.
Of course, ransomware may not be the only reason for an increase in the use of T1071 since the combination of stealth persistence and data exfiltration is a good combination for cyber espionage. Noticeably, T1547 is #8 in prevalence — boot or logon autostart execution for persistence.
By the numbers, T1486 was found in 129,969 samples (21%); T1071 was found in 108,373 samples (18%, but a 176% increase over the previous year); and T1547 was found in 90.009 samples (15%).
It is difficult to reach any conclusion other than attackers are becoming more sophisticated in their attacks, using hunter-killer submarine techniques to evade detection and dismantle defenses before moving to the Vanguard submarine purpose of delivering a payload.
Picus suggests one cause of this combination of ATT@CK techniques may be the current global geopolitical tensions. “Collecting sensitive information and maintaining a presence within networks are hallmarks of advanced persistent threats (APTs). This could signal the involvement of sophisticated, well-funded adversaries. Notable entities such as Russia’s APT28 (Fancy Bear) and APT29 (Cozy Bear), along with Star Blizzard, China’s Volt Typhoon, and North Korea’s Lazarus Group have demonstrated significant activity during 2023. These groups’ strategic operations in 2023 indicate an escalating trend of state-sponsored attack campaigns.”
However, whether it is APT groups or simply more sophisticated criminal gangs, the result is the same: the attackers are increasingly using stealth and killing defenses to hide and prolong their residence. It becomes important for defenders to regularly check and ensure that their defenses are still working and have not been neutralized by attackers.
“It can be incredibly difficult to detect if an attack has disabled or reconfigured security tools, because they may still appear to be working as expected,” said Huseyin Can YUCEEL, security research lead at Picus. “Security validation must be a starting point for organizations to better understand their readiness and identify gaps.”
Related: MITRE Releases ATT&CK v14 With Improvements to Detections, ICS
Related: MITRE, CISA Release Open Source OT Attack Emulation Tool
Related: MITRE CWE Top 25 Most Dangerous Software Weaknesses
