Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/15/2018
02:30 PM
Avi Chesla
Avi Chesla
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Cyber Crooks Diversify Business with Multi-Intent Malware

The makers of malware have realized that if they're going to invest time and money in compromising cyber defenses, they should do everything they can to monetize their achievement.

Diversification is a well-understood business principle. Nordstrom, for example, started as a shoe store — but then its founders figured out they could generate more revenue by also offering clothing. Following that came jewelry, handbags, accessories, and in-store restaurants, and the rest is history. This same evolution has occurred across countless companies and industries, from Amazon.com (started with books) to General Foods (corn flakes).

And now, we're seeing the same dynamic with cybercrime. Malware engineers have figured out that if they're going to invest time and money in compromising cyber defenses, they ought to do everything they can to monetize their achievement to the max. This has given rise to the growing presence of multi-intent malware.

Multi-Intent, Multibusiness
It's no secret that malware today is mostly machine-driven, requiring minimal human touch. Creating malware in modern times requires little more than simply expressing your malicious intent (say, cryptomining), and the machine does the rest. What is relatively new, however, is that malware makers are now expressing multiple intents, which has led to the emergence of multi-intent malware. Just like Nordstrom increased the return on investment in each store by offering diverse merchandise instead of just shoes, malware creators are diversifying their businesses with multi-intent malware, where a single successful compromise can open up multiple streams of revenue.

Typically, this class of malware will begin by executing one malicious intent (e.g., cryptomining), and once it has maximized the revenue from that channel, it moves onto others (say, ransomware). It does this until it has exhausted all of the malicious intents it was designed to execute on a network or host.

Another particularly insidious feature of multi-intent malware is the ability to evaluate "business opportunities" and react accordingly. For example, if it identifies sensitive information, it can make decisions on whether to encrypt the data for a ransomware attack or exfiltrate it as a data breach. If the data does not seem particularly interesting, the malware can also choose to enslave the host as a bot, or identify if it has enough computing power for cryptomining, etc.

This class of malware effectively conducts "business research" to understand the greatest revenue potential for each compromised asset, and then acts accordingly. The malware owners may even decide there is more money to be made by reselling (or renting) the malware with the compromised hosts, based on cybercriminals' needs. For example, they may offer cryptomining as a one-month "rental," and then rent the malware to another buyer in need of ransomware. For maximum ROI and efficiency, they may even sell or rent the malware to multiple cybercriminals simultaneously.

One recent high-profile example of multi-intent malware was Xbash, which not only included ransomware, cryptominers, botnets, and worms but also conducted reconnaissance through port scanning to identify easily compromised assets within the host organization. To evade detection, this class of malware typically starts by executing the malicious intents that are more difficult to detect (e.g., cryptominers), and then moves into the ones where the malware must expose itself (e.g., ransomware activation).

Defense Strategy
The key to detecting multi-intent malware is to understand what it's trying to achieve. This is done through intent classification. Unfortunately, this is still a largely manual process where humans must analyze suspicious files or behavior, which simply can't keep pace with the rapid volume and variety of machine-generated attacks. However, we are seeing some new approaches to intent classification automation. Two particularly promising areas include:

  • The use of artificial intelligence (AI) and natural language processing (NLP). When a suspicious file is detected on a host, it can trigger an AI and NLP process to automatically collect and read relevant human threat intelligence information from third-party research centers, blogs, etc., and decipher the potential intent (or multi-intent) of the malware. All of this can be done in case the same or similar type of malware was analyzed somewhere else and is part of public intelligence data. This ability to automatically "operationalize" human-readable threat intelligence makes AI and NLP potent countermeasures to multifunction malware and other advanced attacks.
  • The use of cause-and-effect analytics. A complementary approach to automatically operationalize threat intelligence is to use cause-and-effect analytics to decipher malware intent based on the actions that are detected on the compromised host. This works particularly well because all malware actions are typically followed by a logical "next action." For example, a keylogger infection will typically be followed by suspicious login attempts; or, in the financial industry, memory-scraping malware (harvesting credit card or Social Security numbers) will typically trigger data exfiltration; and, of course, a cryptomining infection will be followed by an increase in the host's CPU utilization.  

These technologies are gaining prominence in the war against malware because of their ability to classify intent orders-of-magnitude faster than is possible with manual processes. In the case of multi-intent malware, they help organizations detect, prioritize, and remediate the malware early in the "diversification process," so they can put it out of business before it has the opportunity to open multiple revenue streams.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Avi Chesla is a recognized leader in the Internet security arena internationally, with expertise in product strategy, cybersecurity, network behavioral analysis, expert systems, and software-defined networking. Prior to empow, Avi was CTO and VP of security products at ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
arogyalokeshv
50%
50%
arogyalokeshv,
User Rank: Apprentice
11/15/2018 | 11:54:18 PM
Regarding Defense Mechanism
Firstly i want to say congrats on the article. Lot of information was provided in the article the use of artificial intellegience is more now a days & improving more chances for getting hacked. The over all analysis of the business is very important. We even work on the reports that are previously taken for comparision of growth in it. Lastly every business has to have cybersecurity installed & prior steps to be taken for data security.
sharmapriya
50%
50%
sharmapriya,
User Rank: Apprentice
1/18/2019 | 6:04:08 AM
Very Nice
I really like your work...
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Breaches Are Inevitable, So Embrace the Chaos
Ariel Zeitlin, Chief Technology Officer & Co-Founder, Guardicore,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19010
PUBLISHED: 2019-11-16
Eval injection in the Math plugin of Limnoria (before 2019.11.09) and Supybot (through 2018-05-09) allows remote unprivileged attackers to disclose information or possibly have unspecified other impact via the calc and icalc IRC commands.
CVE-2019-16761
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the [email protected] npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. All versions >1.0...
CVE-2019-16762
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. Affected users can upgrade to any...
CVE-2019-13581
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A heap-based buffer overflow allows remote attackers to cause a denial of service or execute arbitrary ...
CVE-2019-13582
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A stack overflow could lead to denial of service or arbitrary code execution.