Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/15/2018
02:30 PM
Avi Chesla
Avi Chesla
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Cyber Crooks Diversify Business with Multi-Intent Malware

The makers of malware have realized that if they're going to invest time and money in compromising cyber defenses, they should do everything they can to monetize their achievement.

Diversification is a well-understood business principle. Nordstrom, for example, started as a shoe store — but then its founders figured out they could generate more revenue by also offering clothing. Following that came jewelry, handbags, accessories, and in-store restaurants, and the rest is history. This same evolution has occurred across countless companies and industries, from Amazon.com (started with books) to General Foods (corn flakes).

And now, we're seeing the same dynamic with cybercrime. Malware engineers have figured out that if they're going to invest time and money in compromising cyber defenses, they ought to do everything they can to monetize their achievement to the max. This has given rise to the growing presence of multi-intent malware.

Multi-Intent, Multibusiness
It's no secret that malware today is mostly machine-driven, requiring minimal human touch. Creating malware in modern times requires little more than simply expressing your malicious intent (say, cryptomining), and the machine does the rest. What is relatively new, however, is that malware makers are now expressing multiple intents, which has led to the emergence of multi-intent malware. Just like Nordstrom increased the return on investment in each store by offering diverse merchandise instead of just shoes, malware creators are diversifying their businesses with multi-intent malware, where a single successful compromise can open up multiple streams of revenue.

Typically, this class of malware will begin by executing one malicious intent (e.g., cryptomining), and once it has maximized the revenue from that channel, it moves onto others (say, ransomware). It does this until it has exhausted all of the malicious intents it was designed to execute on a network or host.

Another particularly insidious feature of multi-intent malware is the ability to evaluate "business opportunities" and react accordingly. For example, if it identifies sensitive information, it can make decisions on whether to encrypt the data for a ransomware attack or exfiltrate it as a data breach. If the data does not seem particularly interesting, the malware can also choose to enslave the host as a bot, or identify if it has enough computing power for cryptomining, etc.

This class of malware effectively conducts "business research" to understand the greatest revenue potential for each compromised asset, and then acts accordingly. The malware owners may even decide there is more money to be made by reselling (or renting) the malware with the compromised hosts, based on cybercriminals' needs. For example, they may offer cryptomining as a one-month "rental," and then rent the malware to another buyer in need of ransomware. For maximum ROI and efficiency, they may even sell or rent the malware to multiple cybercriminals simultaneously.

One recent high-profile example of multi-intent malware was Xbash, which not only included ransomware, cryptominers, botnets, and worms but also conducted reconnaissance through port scanning to identify easily compromised assets within the host organization. To evade detection, this class of malware typically starts by executing the malicious intents that are more difficult to detect (e.g., cryptominers), and then moves into the ones where the malware must expose itself (e.g., ransomware activation).

Defense Strategy
The key to detecting multi-intent malware is to understand what it's trying to achieve. This is done through intent classification. Unfortunately, this is still a largely manual process where humans must analyze suspicious files or behavior, which simply can't keep pace with the rapid volume and variety of machine-generated attacks. However, we are seeing some new approaches to intent classification automation. Two particularly promising areas include:

  • The use of artificial intelligence (AI) and natural language processing (NLP). When a suspicious file is detected on a host, it can trigger an AI and NLP process to automatically collect and read relevant human threat intelligence information from third-party research centers, blogs, etc., and decipher the potential intent (or multi-intent) of the malware. All of this can be done in case the same or similar type of malware was analyzed somewhere else and is part of public intelligence data. This ability to automatically "operationalize" human-readable threat intelligence makes AI and NLP potent countermeasures to multifunction malware and other advanced attacks.
  • The use of cause-and-effect analytics. A complementary approach to automatically operationalize threat intelligence is to use cause-and-effect analytics to decipher malware intent based on the actions that are detected on the compromised host. This works particularly well because all malware actions are typically followed by a logical "next action." For example, a keylogger infection will typically be followed by suspicious login attempts; or, in the financial industry, memory-scraping malware (harvesting credit card or Social Security numbers) will typically trigger data exfiltration; and, of course, a cryptomining infection will be followed by an increase in the host's CPU utilization.  

These technologies are gaining prominence in the war against malware because of their ability to classify intent orders-of-magnitude faster than is possible with manual processes. In the case of multi-intent malware, they help organizations detect, prioritize, and remediate the malware early in the "diversification process," so they can put it out of business before it has the opportunity to open multiple revenue streams.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Avi Chesla is a recognized leader in the Internet security arena internationally, with expertise in product strategy, cybersecurity, network behavioral analysis, expert systems, and software-defined networking. Prior to empow, Avi was CTO and VP of security products at ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
sharmapriya
50%
50%
sharmapriya,
User Rank: Apprentice
1/18/2019 | 6:04:08 AM
Very Nice
I really like your work...
arogyalokeshv
50%
50%
arogyalokeshv,
User Rank: Apprentice
11/15/2018 | 11:54:18 PM
Regarding Defense Mechanism
Firstly i want to say congrats on the article. Lot of information was provided in the article the use of artificial intellegience is more now a days & improving more chances for getting hacked. The over all analysis of the business is very important. We even work on the reports that are previously taken for comparision of growth in it. Lastly every business has to have cybersecurity installed & prior steps to be taken for data security.
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15150
PUBLISHED: 2019-08-19
In the OAuth2 Client extension before 0.4 for MediaWiki, a CSRF vulnerability exists due to the OAuth2 state parameter not being checked in the callback function.
CVE-2017-18550
PUBLISHED: 2019-08-19
An issue was discovered in drivers/scsi/aacraid/commctrl.c in the Linux kernel before 4.13. There is potential exposure of kernel stack memory because aac_get_hba_info does not initialize the hbainfo structure.
CVE-2017-18551
PUBLISHED: 2019-08-19
An issue was discovered in drivers/i2c/i2c-core-smbus.c in the Linux kernel before 4.14.15. There is an out of bounds write in the function i2c_smbus_xfer_emulated.
CVE-2017-18552
PUBLISHED: 2019-08-19
An issue was discovered in net/rds/af_rds.c in the Linux kernel before 4.11. There is an out of bounds write and read in the function rds_recv_track_latency.
CVE-2018-20976
PUBLISHED: 2019-08-19
An issue was discovered in fs/xfs/xfs_super.c in the Linux kernel before 4.18. A use after free exists, related to xfs_fs_fill_super failure.