Risk

11/15/2018
02:30 PM
Avi Chesla
Avi Chesla
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Cyber Crooks Diversify Business with Multi-Intent Malware

The makers of malware have realized that if they're going to invest time and money in compromising cyber defenses, they should do everything they can to monetize their achievement.

Diversification is a well-understood business principle. Nordstrom, for example, started as a shoe store — but then its founders figured out they could generate more revenue by also offering clothing. Following that came jewelry, handbags, accessories, and in-store restaurants, and the rest is history. This same evolution has occurred across countless companies and industries, from Amazon.com (started with books) to General Foods (corn flakes).

And now, we're seeing the same dynamic with cybercrime. Malware engineers have figured out that if they're going to invest time and money in compromising cyber defenses, they ought to do everything they can to monetize their achievement to the max. This has given rise to the growing presence of multi-intent malware.

Multi-Intent, Multibusiness
It's no secret that malware today is mostly machine-driven, requiring minimal human touch. Creating malware in modern times requires little more than simply expressing your malicious intent (say, cryptomining), and the machine does the rest. What is relatively new, however, is that malware makers are now expressing multiple intents, which has led to the emergence of multi-intent malware. Just like Nordstrom increased the return on investment in each store by offering diverse merchandise instead of just shoes, malware creators are diversifying their businesses with multi-intent malware, where a single successful compromise can open up multiple streams of revenue.

Typically, this class of malware will begin by executing one malicious intent (e.g., cryptomining), and once it has maximized the revenue from that channel, it moves onto others (say, ransomware). It does this until it has exhausted all of the malicious intents it was designed to execute on a network or host.

Another particularly insidious feature of multi-intent malware is the ability to evaluate "business opportunities" and react accordingly. For example, if it identifies sensitive information, it can make decisions on whether to encrypt the data for a ransomware attack or exfiltrate it as a data breach. If the data does not seem particularly interesting, the malware can also choose to enslave the host as a bot, or identify if it has enough computing power for cryptomining, etc.

This class of malware effectively conducts "business research" to understand the greatest revenue potential for each compromised asset, and then acts accordingly. The malware owners may even decide there is more money to be made by reselling (or renting) the malware with the compromised hosts, based on cybercriminals' needs. For example, they may offer cryptomining as a one-month "rental," and then rent the malware to another buyer in need of ransomware. For maximum ROI and efficiency, they may even sell or rent the malware to multiple cybercriminals simultaneously.

One recent high-profile example of multi-intent malware was Xbash, which not only included ransomware, cryptominers, botnets, and worms but also conducted reconnaissance through port scanning to identify easily compromised assets within the host organization. To evade detection, this class of malware typically starts by executing the malicious intents that are more difficult to detect (e.g., cryptominers), and then moves into the ones where the malware must expose itself (e.g., ransomware activation).

Defense Strategy
The key to detecting multi-intent malware is to understand what it's trying to achieve. This is done through intent classification. Unfortunately, this is still a largely manual process where humans must analyze suspicious files or behavior, which simply can't keep pace with the rapid volume and variety of machine-generated attacks. However, we are seeing some new approaches to intent classification automation. Two particularly promising areas include:

  • The use of artificial intelligence (AI) and natural language processing (NLP). When a suspicious file is detected on a host, it can trigger an AI and NLP process to automatically collect and read relevant human threat intelligence information from third-party research centers, blogs, etc., and decipher the potential intent (or multi-intent) of the malware. All of this can be done in case the same or similar type of malware was analyzed somewhere else and is part of public intelligence data. This ability to automatically "operationalize" human-readable threat intelligence makes AI and NLP potent countermeasures to multifunction malware and other advanced attacks.
  • The use of cause-and-effect analytics. A complementary approach to automatically operationalize threat intelligence is to use cause-and-effect analytics to decipher malware intent based on the actions that are detected on the compromised host. This works particularly well because all malware actions are typically followed by a logical "next action." For example, a keylogger infection will typically be followed by suspicious login attempts; or, in the financial industry, memory-scraping malware (harvesting credit card or Social Security numbers) will typically trigger data exfiltration; and, of course, a cryptomining infection will be followed by an increase in the host's CPU utilization.  

These technologies are gaining prominence in the war against malware because of their ability to classify intent orders-of-magnitude faster than is possible with manual processes. In the case of multi-intent malware, they help organizations detect, prioritize, and remediate the malware early in the "diversification process," so they can put it out of business before it has the opportunity to open multiple revenue streams.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Avi Chesla is a recognized leader in the Internet security arena internationally, with expertise in product strategy, cybersecurity, network behavioral analysis, expert systems, and software-defined networking. Prior to empow, Avi was CTO and VP of security products at ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
arogyalokeshv
50%
50%
arogyalokeshv,
User Rank: Apprentice
11/15/2018 | 11:54:18 PM
Regarding Defense Mechanism
Firstly i want to say congrats on the article. Lot of information was provided in the article the use of artificial intellegience is more now a days & improving more chances for getting hacked. The over all analysis of the business is very important. We even work on the reports that are previously taken for comparision of growth in it. Lastly every business has to have cybersecurity installed & prior steps to be taken for data security.
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
How Well Is Your Organization Investing Its Cybersecurity Dollars?
Jack Jones, Chairman, FAIR Institute,  12/11/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20136
PUBLISHED: 2018-12-13
XSS exists in FUEL CMS 1.4.3 via the Header or Body in the Layout Variables during new-page creation, as demonstrated by the pages/edit/1?lang=english URI.
CVE-2018-20137
PUBLISHED: 2018-12-13
XSS exists in FUEL CMS 1.4.3 via the Page title, Meta description, or Meta keywords during page data management, as demonstrated by the pages/edit/1?lang=english URI.
CVE-2018-20138
PUBLISHED: 2018-12-13
PHP Scripts Mall Entrepreneur B2B Script 3.0.6 allows Stored XSS via Account Settings fields such as FirstName and LastName, a similar issue to CVE-2018-14541.
CVE-2018-1817
PUBLISHED: 2018-12-13
IBM Security Guardium 10 and 10.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 150021.
CVE-2018-1818
PUBLISHED: 2018-12-13
IBM Security Guardium 10 and 10.5 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 150022.