Developers are known for reusing pieces of code over and over again – after all, if it isn't broke, why fix it? In fact, this is what makes open source programs so popular and valuable – as opposed to having to create completely new code, developers can utilize existing open source code, and can leverage it in a way that fits their current needs.
Unfortunately, this approach isn't only used by software developers and other white hats – hackers have also recycled and repacked older exploits that worked well in the past to create a completely new threat. Worse still, many of these reused threats are leveraged in combination with new and sophisticated infection strategies, making them even more difficult to protect against.
Most new malware isn't new
With all the different statistics coming out about new malware, it's easy to assume that the internet and connected systems are flooded with threats. In fact, G Data reported that 22 million new malware samples were identified during Q1 of 2017. To put it another way, this means that a new threat was found almost every 4 seconds.
While it's certainly true that there are a considerable number of malware samples available for hackers to choose from, many of these aren't exactly new.
"22 million new malware samples were identified during Q1 of 2017."
"[M]ost of it is actually a Frankenstein-version that consists of chunks of code that have been pieced together from existing malware or publicly released vulnerabilities and tools," Secplicity pointed out.
In this way, hackers leverage existing code and capabilities, and build upon these with unique functions to establish a new malware sample.
Motivations for reuse
There are several reasons why this reuse and recycling approach is popular among hackers. First and foremost, it saves them time. Instead of having to create new code for a basic function, it's much faster and easier to use a section of code that the hacker knows already works. What's more, as security analyst Marc Laliberte pointed out, saving time in this way enables cybercriminals to direct their attention to more pressing pursuits.
"Why reinvent the wheel when another author already created a working solution?" Laliberte wrote. "By copying code wherever possible, malware authors have more time to focus on other areas, like detection avoidance and attribution masking."
In addition to reusing code to save time, many cybercriminals will also recycle top threat capabilities simply because they've shown to be successful in the past. This is why there are countless variants of ransomware, spear-phishing campaigns and other tactics.
Making code available: Malware and exploit kits
It's also become incredibly simple for hackers to access and reuse code thanks to available sources like malware and exploit kits. These kits package threats and code into a single package, and are often offered for sale on underground marketplaces or hosted on compromised websites.
For instance, Sensors Tech Forum contributor Milena Dimitrova reported that researchers who examined 66,000 URLs and over 7,800 phishing kits discovered two kits in particular that were in place within more than 30 compromised hosts.
In addition to selling the kits themselves, some hackers also provide back-doored kits, allowing other cybercriminals to access previously compromised hosts.
Examples of reuse
Let's take a look at a few cases wherein hackers borrowed code from another malware author:
- Reaper and Mirai: Laliberte noted that this is one of the best examples of code reuse, where hackers utilized sections of code from the Mirai botnet, a particularly powerful and successful threat. Reaper leveraged basic code from Mirai, but built upon the threat by improving upon Mirai's exploitation and launching tactics.
"Reaper's additions to the Mirari source code include active exploitation of known IoT vulnerabilities and the use of the LUA programming language, allowing more sophisticated attacks than simple DDoS," Laliberte wrote.
- WannaCry and NotPetya: This is an interesting example where hackers capitalized upon the work of hacktivist group the Shadow Brokers. The group released source code that included identification of several zero-day vulnerabilities within Microsoft Windows' file-sharing service. The code, initially stolen by the Shadow Brokers from none other than the NSA, was repurposed by hackers in the damaging WannaCry and NotPetya ransomware campaigns.
- Carbanak and Silence Trojan: It isn't just sections of code that are reused – as discussed previously, hackers also like to repurpose infection techniques and mechanisms that served them well in the past. Dimitrova pointed out that this is just what occurred with the Carbanak and Silence Trojans.
When researchers observed the Silence Trojan – which enabled hackers to access internal banking networks and create video recordings to better understand how legitimate software was being used by employees – they noticed that the attack strategy was familiar. Both the Silence Trojan and the previously discovered Carbanak samples used this approach, leveraging the lessons learned from the video recordings to steal as much money as possible while remaining under the radar of employees and security systems.
Threat reuse on the horizon
According to predictions from Trend Micro's 2018 report, it doesn't appear that this style of threat reuse will stop anytime soon. In fact, experts forecast that familiar infection techniques like those used to spread email and web-based spam will resurface in connection with the fake news triangle.
"From spear-phishing emails sent to foreign ministries to the blatant use of documents to discredit authorities, dubious content can spread freely and spark forceful opinions or even real protests," the 2018 Security Predictions Report stated. "Manipulated political campaigns will continue to mount smear tactics and deliberately shift public perception, as allowed by the tools and services readily available in underground marketplaces. It is likely that the upcoming Swedish general election will not be exempt from attempts to influence the voting outcome through fake news."
This makes hackers' capabilities even more potentially damaging than before. Because threats are now available on underground marketplaces, hackers no longer need specific coding skills – they can simply purchase a pre-built threat and reuse it with minor modifications to reduce the chances of detection.
Protecting against new and old threats
Because new threats will continue to reuse previously established tactics, it's important that organizations take the proper steps to protect their brands, their technological investments and their critical data:
- Use multi-layered security: There should be several protection systems standing in between the company IT assets and a malicious, unauthorized user.
- Limit automatic capabilities: As Dimitrova noted, it can be helpful to limit or even disable certain automatic system capabilities, and instead implement settings wherein these types of services prompt for admin access before carrying out functions. This will enable more visibility over the activity taking place on individual machines and across the network.
- Make sure patches are in place: Older exploits typically succeed because systems aren't patched quickly enough for known vulnerabilities. When an update is released, it's best that the patch is put in place as soon as possible.
- Educate about current threats: It's imperative that users and stakeholders across the company are educated about current top threats. Employees themselves can provide an extra layer of security, helping to prevent tried-and-true tactics like phishing and social engineering from impacting the organization.
To find out more, connect with the experts at Trend Micro today.
