Customized gifts, experiences and content are designed to make us feel unique or special, and that’s usually a good thing. However, a new type of personalized malware will not give you the warm fuzzies.
Security experts are reporting a rise in highly targeted attacks known as “bespoke malware.” Unlike most classes of malware that are designed for wide distribution, this is a custom-designed threat in which every feature is altered for a specific target.
What makes these attacks particularly dangerous is that they are stripped of any of the typical clues that would normally indicate a computer intrusion. That will make them a tricky problem for IT security in the coming months, according to experts with Kaspersky Lab.
A notable example of bespoke malware is the ProjectSauron platform, a.k.a. Strider, which was first detected in 2015 after spying on government and corporate computers for at least five years. It was designed to capture encryption keys, configuration files and IP addresses associated with software used to encrypt sensitive communications, using an executable file that claimed to be a Windows password filter. The executable would start up whenever a user logged on or entered a password but, unlike typical malware, it appeared differently on different systems/networks.
Because of this customization, there are none of the telltale signs — known as Indicators of Compromise (IOCs) — that would point to non-human behavior. Without common IOCs such as suspicious file and registry changes, network traffic spikes or unusual account activity, these threats are nearly impossible to discover using traditional methods.
Kaspersky Lab also notes a rise in so-called “ephemeral infections,” which are designed to be deployed in highly sensitive environments by attackers keen to avoid arousing suspicion or discovery. The firm says these infections use tiny but malicious PowerShell scripts that are stored in memory or in the operating system registry. They perform reconnaissance, collect sensitive information and then disappear without a trace when the infected computer is rebooted.
Kaspersky Lab says ephemeral infections and bespoke malware highlight the need for proactive and sophisticated heuristics in advanced anti-malware solutions. The firm also advocates the increased use of the open-source YARA tool to scan networks and uncover malware patterns. YARA provides a robust language for identifying and classifying malware, making it easier to reverse engineer malicious code.
These tools would allow researchers to scan enterprise networks, looking for fragments of known attacks and identifying new malware traits. The research would bolster threat intelligence solutions that offer insight into emerging threats so that organizations could detect and respond attacks more quickly.
Even with more run-of-the-mill threats, it takes most organizations days or even weeks to determine that a security breach has occurred. With the expected increase in more insidious types of malware, organizations will need new tools and techniques to protect their systems and networks from attack.