New Picus Red Report warns of “Swiss Army knife” malware
February 2023 by Picus Security
Picus Security has released The Red Report 2023, an in-depth analysis of over 550,000 real-world malware samples – its biggest study to date. By observing the malware’s behavior, the company’s researchers extracted over 5 million malicious actions and used this data to identify the ten most common techniques leveraged by cybercriminals in 2022. Based upon the findings of its report, the company is warning of the rise of “Swiss Army knife malware” – multi-purpose malware that can perform malicious actions across the cyber-kill chain and evade detection by security controls.
The versatility of the latest malware is demonstrated by the fact that a third of the total sample analyzed by Picus Labs is capable of exhibiting more than 20 individual Tactics, Techniques, and Procedures (TTPs). Increasingly, malware can abuse legitimate software, perform lateral movement, and encrypt files. Its rising sophistication is likely driven by the extensive resources of well-funded ransomware syndicates and by advancements in behavior-based detection methods used by defenders.
“Modern malware takes many forms,” said Dr. Suleyman Ozarslan, Picus Security Co-founder and VP of Picus Labs. “Some rudimentary types of malware are designed to perform basic functions. Others, like a surgeon’s scalpel, are engineered to conduct single tasks with great precision. Now we are seeing more malware that can do anything and everything. This ‘Swiss Army knife’ malware can enable attackers to move through networks undetected at great speed, obtain credentials to access critical systems, and encrypt data.”
The Red Report 2023, the latest iteration of Picus’ annual report, helps track the evolution of malware over time. The insights it provides help security teams prioritize the mitigation of the most prevalent attack techniques aligned to the MITRE ATT&CK adversary behavior framework.
Key findings include:
• The average malware leverages 11 TTPs. One-third of malware (32%) leverages more than 20 TTPs, and one-tenth leverages more than 30 TTPs.
• Command and Scripting Interpreter is the most prevalent ATT&CK technique, exhibited by nearly a third of malware samples. The appearance of Remote System Discovery and Remote Services in The Red Report Top Ten for the first time is further evidence of the extent to which malware can now abuse built-in tools and protocols in operating systems to evade detection.
• Four out of 10 of the most prevalent ATT&CK techniques identified are used to aid lateral movement inside corporate networks.
• A quarter of all malware is capable of encrypting data, highlighting the continued threat of ransomware.
“The goal of ransomware operators and nation-state actors alike is to achieve an objective as quickly and efficiently as possible,” continued Dr. Ozarslan. “The fact that more malware can conduct lateral movement is a sign that adversaries of all types are being forced to adapt to differences in IT environments and work harder to get their payday.”
“Faced with defending against increasingly sophisticated malware, security teams must also continue to evolve their approaches. By prioritizing commonly used attack techniques, and by continuously validating the effectiveness of security controls, organizations will be much better prepared to defend critical assets. They will also be able to ensure that their attention and resources are focused in areas that will have the greatest impact.”
Between January 2022 and December 2022, Picus Labs analyzed 556,107 unique files, with 507,912 (91%) categorized as malicious.
Sources of these files include but are not limited to:
• commercial and open-source threat intelligence services
• security vendors and researchers
• malware sandboxes
• malware databases
From these files, a total of 5,388,946 actions were extracted, an average of 11 malicious actions per malware. These actions were then mapped to MITRE ATT&CK techniques, revealing an average of 9 techniques per malware.
To compile the Red Report 2023 Top Ten, Picus Labs researchers determined the number of malicious files that used each technique. They then calculated the percentage of malware in the dataset that utilized that technique. For example, the T1059 Command and Scripting Interpreter technique was exhibited by 159,196 (31%) of the 507,912 malicious files analyzed.