How Malware Works – Malicious Strategies and Tactics
Understanding how malware works, and in particular, the strategies and tactics most often used by malware authors is vitally important for cybersecurity professionals. In other blog posts, Lastline provides a brief history of malware and basic malware types. In this post, we’ll look at some of the common methods that malware authors use to distribute, control, and hide malicious code.
How Malware is Distributed
AV-Test, one of the most renowned institutions for testing Anti-Malware products, reports that cybercriminals push 250,000 new malicious programs into the wild every day. So, what tactics do cybercriminals use to distribute this massive amount of malware? Although new methods are constantly emerging, most malware is delivered in the following ways.
- Malicious Email Attachments: Emails often include attachments that install malware when opened by the victim. According to Verizon’s 2017 Data Breach Investigations Report, in 2016 hackers delivered two-thirds of all successful malware (penetrated the victim’s network) via malicious email attachments.
- Malicious Email Links: Contained in either an attachment or in the body of the email, links to malicious web pages also account for a significant number of data breaches. ZDNet reported that almost a quarter of users will click what turns out to be a malicious link if they believe the email is from a friend. See Protection from Malicious Links to learn more.
- Social Engineering: Cybercriminals use social engineering to build trust before stealing user login credentials or confidential data. In a social engineering attack, a computer criminal poses as a trusted individual (IT support, human resource, outside contractor, etc.) and entices the victim to either verbally divulge their login credentials, or more often, open a malicious attachment or visit a malicious web page that captures their credentials.
- Phishing: A specific form of social engineering, phishing uses psychological manipulation to bait victims into divulging login data or other sensitive information that criminals sell or use for malicious purposes. A phishing attack usually consists of an authentic-looking sender and a socially engineered message. Many email recipients believe the message is from a trusted individual or organization and will open infected attachments or click on malicious links. To learn more, see Cybercriminals, A Bad Day of Phishing is Still a Good Day.
- Business Email Compromise (BEC): Another social engineering attack where the attacker sends an email to someone in the organization that has the ability to execute a financial transaction. Although sent by the attacker, the email looks like it’s from the CEO, CFO, or another empowered individual. It authorizes and requests an immediate financial transaction such as a vendor payment, direct deposit, or wire transfer. This $5 Billion-dollar problem is sometimes referred to as “whaling” since it specifically targets or impersonates an organization’s biggest fish. For additional information, see Preventing Business Email Compromise and Don’t be a Whale—How to Detect the Business Email Compromise Scam.
- Drive-by Downloads: Cybercriminals compromise a website, often a legitimate one, by embedding or injecting malicious objects within the site’s web pages. When a user visits an infected page, the user’s browser automatically loads the malicious code. See Drive-By Downloads and How to Prevent Them for more information.
- Watering Hole Attacks: The phrase watering hole attack comes from predators in the natural world who lurk near watering holes, waiting for their desired prey to come have a drink. In a network watering hole attack, cybercriminals set traps in websites that their target victims are known to frequent. Often the booby-trapped websites are smaller, niche sites that tend to have limited security.
- Malvertising: Cybercriminals purchase advertising space on legitimate websites and insert malicious code into the ad. Simply viewing the add injects malicious code into an unprotected device. These are similar to a drive-by-download, however, there is no interaction needed on the users’ part to download the malware. For more information about malvertising, see The Malicious 1% of Ads Served.
- Scamware: Malicious programs disguised as malware protection or other legitimate products. This delivery technique is not new, but cybercriminals are developing new and more sophisticated techniques to this old scam.
- Mouse Hovering: A fairly new technique, mouse hovering takes advantage of vulnerabilities in PowerPoint and other document readers. When a user hovers over a link, the reader executes a malicious shell script. See Malware Analysis—Mouse Hovering Can Cause Infection to learn more.
Command and Control – How Cybercriminals Manage Malware
To be useful, most malware must communicate with the cybercriminals that own and control it. The malware must transmit stolen data. Perpetrators behind the crimes need to coordinate how and when sophisticated attacks are launched, propagated, and in some cases, how the malware terminates and remains undetected.
This necessary communication is generally handled by command-and-control servers established by the cybercriminals. These command-and-control servers, also called C&Cs or C2s, are used by the attackers to communicate with compromised computers, websites, smartphones, routers, IoT devices, and other networking equipment.
Cybercriminals use C&Cs to instruct and manage individual instances of malware or entire botnets of compromised systems. Most malware is designed to respond to specific instructions received from one or more C&C servers. Using the associated C&C server(s), the attackers direct the malware to perform a number of malicious actions, including:
- Upload reports regarding the malware’s status and results of C&C commands
- Install upgrades to the malware or new pieces of malware to expand the attack
- Install keyloggers used to collect sensitive information such as credit card numbers or login credentials
- Transmit Spam or Phishing emails
- Launch coordinated DDoS attacks
- Transmit back to the criminal stolen data such as login credentials, sensitive user data, payment card numbers, corporate intellectual property or financial data, etc.
Advanced malware detection products monitor network traffic for connections to known C&Cs, and for traffic that contains C&C communications. When these tools discover malicious traffic, administrators can block the connections and, in some cases, identify and remove the responsible malware.
Malware authors use several strategies for hiding their C&C communications from malware detection systems. For example, cybercriminals often use covert channels such as Internet Relay Chat (IRC), peer-to-peer technology (P2P), and social networks like Facebook and Twitter to hide their communications. The most advanced methods have the ability to quickly switch C&C servers to avoid detection. Some C&C servers have a lifespan of just minutes before another server replaces them.
How Malware Hides – Evasion Tactics
Malware authors are very creative. They use countless tactics to lessen the likelihood that security tools will detect their malware. Earlier in this post when we discussed malware distribution, we covered how cybercriminals hide malware in websites, attachments, and advertisements during the initial delivery phase of an attack.
When an attempt is made to download a malicious object, either by a user or their browser, sandboxes are often used to test the object for malicious capabilities. To counter this, malware authors deploy numerous tactics to try to hide from sandboxes. If malware does find its way to an endpoint, malware designers use additional strategies to maintain their stealth.
Sandbox Evasion Tactics
- Fragmentation: A technology that splits malware into several components that only execute when the targeted system reassembles the code.
- Time Delays: The malware remains idle for an extended period, avoiding all malicious activity until (the criminal hopes) the file is released to the intended user.
- User Action Delays: Some malware avoids doing anything malicious until a user performs a specific action (e.g. a mouse click, pressing a key, opening or closing a file, exiting the program).
- Return-Oriented Programming (ROP): A technique where malware injects functionality into another process without modifying the code of that process. To accomplish this, malware alters the contents of the stack (the set of memory addresses that tells the system which segment of code to execute next).
- Rootkits: A Rootkit is an application (or set of applications) that hides malicious code in the lower layers of the operating system.
- Polymorphism: Polymorphic malware is so named because it morphs, or mutates, into many forms, and does so very quickly—constantly creating new variations of itself, which makes it nearly impossible to detect using signature-based malware detection tools.
To learn more about sandbox evasion tactics, see Lastline’s paper An Introduction to Advanced Malware and How it Avoids Detection.
Endpoint Evasion Tactics
In addition to using covert C&C communication channels as discussed earlier, malware authors use a number of tactics to avoid having their malware detected after installation. Here are just a few of those tactics:
- Unique Signatures: Most malware today is a one-of-a-kind. To avoid detection by signature-based anti-virus solutions, cybercriminals have developed automated systems that create a unique malicious object for each installation.
- Critical System Files: Malware often masquerades as a legitimate system file. By replacing original system files with compromised versions of the same, endpoint malware detection systems have difficulty spotting the malicious code.
- Disabling Endpoint Security: Some malware is able to evade certain endpoint antivirus tools by disabling the tool or adding an exception.
- Windows Registry: Hiding malicious code within the Windows registry is a common malware tactic because no additional files are installed.
- Temporary Files, Folders or Directories: Malware scans are often configured to analyze a specific set of files and folders. So, malware authors use or create temporary or uncommon files and folders that aren’t typically scanned in which to hide their code.
- In Shortcuts: Commonly known as shortcuts, malware writers have used Shell Link Binary Files for years to hide and launch malware. Recently, we’ve seen a resurgence of their usage.
- Within Macros: Inserting malicious macros inside of otherwise legitimate-looking documents like Microsoft Excel files has reemerged as a popular technique to hide malware.
To Safeguard Your Company Against a Cyberbreach—Think Like a Cybercriminal
By understanding the strategies and tactics that malware authors use when creating malicious objects, security professionals stand a better chance of establishing effective cybersecurity policies and implementing successful tools to detect and prevent data breaches.
To learn more about how malware works and what organizations can do to safeguard themselves against even the most advanced malware, you might want to read Lastline’s paper An Introduction to Advanced Malware and How to Avoid Detection.