Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/15/2018
02:30 PM
Avi Chesla
Avi Chesla
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Cyber Crooks Diversify Business with Multi-Intent Malware

The makers of malware have realized that if they're going to invest time and money in compromising cyber defenses, they should do everything they can to monetize their achievement.

Diversification is a well-understood business principle. Nordstrom, for example, started as a shoe store — but then its founders figured out they could generate more revenue by also offering clothing. Following that came jewelry, handbags, accessories, and in-store restaurants, and the rest is history. This same evolution has occurred across countless companies and industries, from Amazon.com (started with books) to General Foods (corn flakes).

And now, we're seeing the same dynamic with cybercrime. Malware engineers have figured out that if they're going to invest time and money in compromising cyber defenses, they ought to do everything they can to monetize their achievement to the max. This has given rise to the growing presence of multi-intent malware.

Multi-Intent, Multibusiness
It's no secret that malware today is mostly machine-driven, requiring minimal human touch. Creating malware in modern times requires little more than simply expressing your malicious intent (say, cryptomining), and the machine does the rest. What is relatively new, however, is that malware makers are now expressing multiple intents, which has led to the emergence of multi-intent malware. Just like Nordstrom increased the return on investment in each store by offering diverse merchandise instead of just shoes, malware creators are diversifying their businesses with multi-intent malware, where a single successful compromise can open up multiple streams of revenue.

Typically, this class of malware will begin by executing one malicious intent (e.g., cryptomining), and once it has maximized the revenue from that channel, it moves onto others (say, ransomware). It does this until it has exhausted all of the malicious intents it was designed to execute on a network or host.

Another particularly insidious feature of multi-intent malware is the ability to evaluate "business opportunities" and react accordingly. For example, if it identifies sensitive information, it can make decisions on whether to encrypt the data for a ransomware attack or exfiltrate it as a data breach. If the data does not seem particularly interesting, the malware can also choose to enslave the host as a bot, or identify if it has enough computing power for cryptomining, etc.

This class of malware effectively conducts "business research" to understand the greatest revenue potential for each compromised asset, and then acts accordingly. The malware owners may even decide there is more money to be made by reselling (or renting) the malware with the compromised hosts, based on cybercriminals' needs. For example, they may offer cryptomining as a one-month "rental," and then rent the malware to another buyer in need of ransomware. For maximum ROI and efficiency, they may even sell or rent the malware to multiple cybercriminals simultaneously.

One recent high-profile example of multi-intent malware was Xbash, which not only included ransomware, cryptominers, botnets, and worms but also conducted reconnaissance through port scanning to identify easily compromised assets within the host organization. To evade detection, this class of malware typically starts by executing the malicious intents that are more difficult to detect (e.g., cryptominers), and then moves into the ones where the malware must expose itself (e.g., ransomware activation).

Defense Strategy
The key to detecting multi-intent malware is to understand what it's trying to achieve. This is done through intent classification. Unfortunately, this is still a largely manual process where humans must analyze suspicious files or behavior, which simply can't keep pace with the rapid volume and variety of machine-generated attacks. However, we are seeing some new approaches to intent classification automation. Two particularly promising areas include:

  • The use of artificial intelligence (AI) and natural language processing (NLP). When a suspicious file is detected on a host, it can trigger an AI and NLP process to automatically collect and read relevant human threat intelligence information from third-party research centers, blogs, etc., and decipher the potential intent (or multi-intent) of the malware. All of this can be done in case the same or similar type of malware was analyzed somewhere else and is part of public intelligence data. This ability to automatically "operationalize" human-readable threat intelligence makes AI and NLP potent countermeasures to multifunction malware and other advanced attacks.
  • The use of cause-and-effect analytics. A complementary approach to automatically operationalize threat intelligence is to use cause-and-effect analytics to decipher malware intent based on the actions that are detected on the compromised host. This works particularly well because all malware actions are typically followed by a logical "next action." For example, a keylogger infection will typically be followed by suspicious login attempts; or, in the financial industry, memory-scraping malware (harvesting credit card or Social Security numbers) will typically trigger data exfiltration; and, of course, a cryptomining infection will be followed by an increase in the host's CPU utilization.  

These technologies are gaining prominence in the war against malware because of their ability to classify intent orders-of-magnitude faster than is possible with manual processes. In the case of multi-intent malware, they help organizations detect, prioritize, and remediate the malware early in the "diversification process," so they can put it out of business before it has the opportunity to open multiple revenue streams.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Avi Chesla is a recognized leader in the Internet security arena internationally, with expertise in product strategy, cybersecurity, network behavioral analysis, expert systems, and software-defined networking. Prior to empow, Avi was CTO and VP of security products at ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
sharmapriya
50%
50%
sharmapriya,
User Rank: Apprentice
1/18/2019 | 6:04:08 AM
Very Nice
I really like your work...
arogyalokeshv
50%
50%
arogyalokeshv,
User Rank: Apprentice
11/15/2018 | 11:54:18 PM
Regarding Defense Mechanism
Firstly i want to say congrats on the article. Lot of information was provided in the article the use of artificial intellegience is more now a days & improving more chances for getting hacked. The over all analysis of the business is very important. We even work on the reports that are previously taken for comparision of growth in it. Lastly every business has to have cybersecurity installed & prior steps to be taken for data security.
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...