Your security defences will dive, dive, dive unless you sink hunter-killer malware

New research finds that malware targeting and taking down security controls has risen by more than 300% in the last year. Dubbed ‘hunter-killer’ malware by researchers at Picus Security, it represents a far-reaching change in how threat actors are able to both identify and counteract advanced enterprise defences.

The newly published Picus Red Report analysed 600,000 malware samples to identify the tactics and techniques most often used by threat actors, from ransomware gangs to nation-state adversaries.

The massive upswing in the use of hunter-killer tools, an increase of 333% over the previous year, reveals how malware is evolving and attackers are embracing this defence-neutralising playbook.

Whereas just 12 months ago it was rare for attackers to successfully disable security controls, researchers found that such behaviour is now employed by just about every ransomware group.

Stealth attacks

The researchers also found that attackers are, unsurprisingly, obsessed with remaining stealthy. 70% of analysed samples used some kind of stealth-oriented technique to evade detection by security measures and so ensure the best chance of network persistence.

The notion that purely persistence is the playground of nation-state sponsored espionage groups should finally be laid to rest. The use of obfuscated files or information increased by 150% over the previous year, and the application layer protocol, deployed for data extraction, was up 176%.

But it’s the hunter-killer malware, sharing characteristics of the submarines carrying the same name, that is of most concern for being ultra-evasive and highly aggressive.

“Just as these subs move silently through deep waters and launch devastating attacks to defeat their targets’ defences,” says Dr Suleyman Ozarslan, Picus Security Co-Founder, “new malware is designed to not only evade security tools but actively bring them down.”

Ozarslan says the change to this tactic has likely been driven in response to more organisations now being better defended by threat detection systems and services.

Detecting hunter-killer malware

“It can be incredibly difficult to detect if an attack has disabled or reconfigured security tools, because they may still appear to be working as expected,” says Huseyin Can Yuceel, Security Research Lead at Picus Security.

“Preventing attacks that would otherwise operate under the radar requires the use of multiple security controls with a defence-in-depth approach.”

Dr Ozarslan told TechFinitive that organisations should consider employing behavioural analysis and machine learning for threat detection. Regular audits, including updating your whitelisting policies, should also enhance your defences.

Other ways to stay ahead of hunter-killer malware? Prioritise credential protection and lateral movement mitigation using multi-factor authentication – and implement least-privileged access principles.

Read next: Ransomware guide: cyberattack demons vs angels