As strange as it might sound, a single-stage malware attack might be considered almost old-fashioned in the near future. An organization or user can be attacked with relatively straightforward ransomware that immediately threatens a cryptolock on data if payment is not forthcoming. Nowadays, these single-stage malware attacks have been supplemented and sometimes replaced with far more sophisticated multistage attacks that include an initial downloader, the main component of the malware, and additional modules delivered over a period of days, weeks, or more.
However, what used to be advanced has now been commoditized. Multistage attack kits and associated malware is now available either at open source code communities or at malware-as-a-service sites that provide downloads to criminals, rogue nations, and other bad actors.
Trickbot and Emotet
Recent examples of commodity multistage malware include Trickbot and Emotet. Trickbot is a banking Trojan that targets users' financial information and can act as a dropper for other malware. An attacker can leverage TrickBot's modules to steal banking information such as passwords and credit card numbers, conduct system and network reconnaissance, and propagate additional malware across networks or other areas.
Emotet, another banking Trojan, is often used in untargeted "watering hole" attacks ─ everyone who goes to the well gets infected. After systems are compromised, attackers will survey the infected system or network to determine what value the target has. The program can then be used to inject code into the networking stack of an infected Microsoft Windows computer, allowing sensitive data to be monitored, corrupted via ransomware, or the access can be sold to a third party depending on the motivations of the attacker and the value of the compromised asset.
Increased Dwell Time
One of the reasons that multistage malware poses such a risk to targets is the extended dwell time between when a hack occurs and when it's detected. Between the first and final stages of the attack, the malware has time to move across systems and networks, communicate with the entity behind the attack, and better prepare for an eventual incident involving data theft, espionage, or infrastructure damage.
Although dwell time is a common topic in malware discussions, we believe that current estimates of dwell time need to be revised upward. According to a report by the Ponemon Institute, US companies took an average of 206 days to detect a data breach. However, Infocyte recently conducted a deep analysis of 5 million system scans using our technology and found an average dwell time of 798 days. You read that right. Dwell time of over two years, with some hacks going back to 2011.
Aside from the fact that multistage attacks are orchestrated over a period of time, dwell time with multistage malware is driven by a number of other factors. In some cases, the criminals who originally planted the malware and were waiting to deploy them have been intercepted by law enforcement agencies, so the malware is never activated; no one is left to pull the trigger. In other cases, the malware was never intended to affect the first target organization but to leverage its networks to attack other organizations that contain more valuable assets. In every case, the longer the dwell time, the greater the cost of identifying the breach and addressing the consequences of the attack.
Three Recommended Actions
How should you respond to the growing proliferation of multistage malware that can be readily acquired and easily customized to target organizations like yours?
Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.