Table of Contents
Threat actors are getting more sophisticated, making it difficult for businesses to defend themselves or for customers to spot visual indicators of compromise that could help prevent the next cyber attack. Although malware and its families are not new in the world, there is no shortage for new payloads and exploit techniques.
On the dark web, there are countless commercial malware providers that offer a variety of malware services, such as the following:Ransomware: The average cost ranges between $250-300.Spyware: A simple data stealer costs approximately $10.Remote Access Trojans: These range between $500-1,000.ATM malware: Because a single ATM could store approximately $150,000, ATM malware remains at a high price range: $1,500-3,000.
ATM malware is the most expensive malware on the dark internet, second only to custom-made malware. Although global malware outbreaks like NotPetya or WannaCry can have a significant impact on the global economy they are still a small percentage of the malicious code that targets unpatched computers. Modern malware is a serious threat, but traditional security solutions that rely upon signatures won’t respond to them have become obsolete.
Modern malware is not only capable of exploiting zero-day vulnerabilities but also has polymorphic capabilities. Polymorphic malware can alter its own characteristics, making it difficult to detect with antivirus solutions that rely solely on signatures. This is how threat actors can bypass signature-based detection. Microsoft estimates that 96% of malware today runs only once and never runs again.
There is an increase in crypto-mining malware as well as polymorphic malware. Despite cryptocurrency’s declining market cap, this is still a significant increase in crypto-mining malware. This is due to the fact that cryptocurrency allows threat actors to hide while they receive ransom from their targets.
Malware infection vectors
Verizon shared interesting information in its data breach report about the malware infection vectors used to spread the threat. This revealed that 81% of all malware infection cases were caused by cyber attacks where malware was remotely installed or injected. The Verizon study is illustrated in the following diagram:
Malware trends Remote attackers injected
Threat actors exploit software vulnerabilities to execute remote commands via software
Phishing and spear-phishing are both old forms of computer-based social engineer. The threat actor simply needs to prepare a convincing email with a call-to-action that the target will respond to. This could be done by opening malicious attachments or clicking on a hyperlink that redirects them to malicious websites.
Web infection that is auto-executed
The threat actor exploits vulnerabilities on websites to install their malicious payload. The victim doesn’t know this and simply browses a site that appears legitimate.
Web infection by user
A user-executed website infection is different from an auto-executed one. Here, the threat actor hides the malware. In the case of a user executed web infection, the threat agent is trying to trick the victim to perform an action on the site. This could include downloading a file.
Installed by another malware
The C2C phase is part of the attack kill chains. This is when the threat actor can communicate directly with the compromised computer. C2Ccommunication allows the threat actor to install additional malware on the compromised system.
To identify computers that can be reached, threat actors regularly scan the internet-facing IP ranges for enterprises. Once identified, the threat actor can then use different techniques such as brute force attack.