• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Industry News   »   How Hackers Recycle Top Threats

How Hackers Recycle Top Threats

  • Posted on:February 5, 2018
  • Posted in:Industry News, Security
  • Posted by:
    Trend Micro
0
Just like white hat developers, hackers have been known to reuse and recycle code.

Developers are known for reusing pieces of code over and over again – after all, if it isn’t broke, why fix it? In fact, this is what makes open source programs so popular and valuable – as opposed to having to create completely new code, developers can utilize existing open source code, and can leverage it in a way that fits their current needs.

Unfortunately, this approach isn’t only used by software developers and other white hats – hackers have also recycled and repacked older exploits that worked well in the past to create a completely new threat. Worse still, many of these reused threats are leveraged in combination with new and sophisticated infection strategies, making them even more difficult to protect against.

Most new malware isn’t new

With all the different statistics coming out about new malware, it’s easy to assume that the internet and connected systems are flooded with threats. In fact, G Data reported that 22 million new malware samples were identified during Q1 of 2017. To put it another way, this means that a new threat was found almost every 4 seconds.

While it’s certainly true that there are a considerable number of malware samples available for hackers to choose from, many of these aren’t exactly new.

“Most of it is actually a Frankenstein-version that consists of chunks of code that have been pieced together from existing malware or publicly released vulnerabilities and tools,” Secplicity pointed out.

In this way, hackers leverage existing code and capabilities, and build upon these with unique functions to establish a new malware sample.

Motivations for reuse

There are several reasons why this reuse and recycling approach is popular among hackers. First and foremost, it saves them time. Instead of having to create new code for a basic function, it’s much faster and easier to use a section of code that the hacker knows already works. What’s more, as security analyst Marc Laliberte pointed out, saving time in this way enables cybercriminals to direct their attention to more pressing pursuits.

“Why reinvent the wheel when another author already created a working solution?” Laliberte wrote. “By copying code wherever possible, malware authors have more time to focus on other areas, like detection avoidance and attribution masking.”

In addition to reusing code to save time, many cybercriminals will also recycle top threat capabilities simply because they’ve shown to be successful in the past. This is why there are countless variants of ransomware, spear-phishing campaigns and other tactics.

Making code available: Malware and exploit kits

It’s also become incredibly simple for hackers to access and reuse code thanks to available sources like malware and exploit kits. These kits package threats and code into a single package, and are often offered for sale on underground marketplaces or hosted on compromised websites.

For instance, Sensors Tech Forum contributor Milena Dimitrova reported that researchers who examined 66,000 URLs and over 7,800 phishing kits discovered two kits in particular that were in place within more than 30 compromised hosts.

In addition to selling the kits themselves, some hackers also provide back-doored kits, allowing other cybercriminals to access previously compromised hosts.

malwareFrankenstein-style malware can be insidious.

Examples of reuse

Let’s take a look at a few cases wherein hackers borrowed code from another malware author:

  • Reaper and Mirai: Laliberte noted that this is one of the best examples of code reuse, where hackers utilized sections of code from the Mirai botnet, a particularly powerful and successful threat. Reaper leveraged basic code from Mirai, but built upon the threat by improving upon Mirai’s exploitation and launching tactics.”Reaper’s additions to the Mirari source code include active exploitation of known IoT vulnerabilities and the use of the LUA programming language, allowing more sophisticated attacks than simple DDoS,” Laliberte wrote.
  • WannaCry and NotPetya: This is an interesting example where hackers capitalized upon the work of hacktivist group the Shadow Brokers. The group released source code that included identification of several zero-day vulnerabilities within Microsoft Windows’ file-sharing service. The code, initially stolen by the Shadow Brokers from none other than the NSA, was repurposed by hackers in the damaging WannaCry and NotPetya ransomware campaigns.
  • Carbanak and Silence Trojan: It isn’t just sections of code that are reused – as discussed previously, hackers also like to repurpose infection techniques and mechanisms that served them well in the past. Dimitrova pointed out that this is just what occurred with the Carbanak and Silence Trojans.When researchers observed the Silence Trojan – which enabled hackers to access internal banking networks and create video recordings to better understand how legitimate software was being used by employees – they noticed that the attack strategy was familiar. Both the Silence Trojan and the previously discovered Carbanak samples used this approach, leveraging the lessons learned from the video recordings to steal as much money as possible while remaining under the radar of employees and security systems.

Threat reuse on the horizon

According to predictions from Trend Micro’s 2018 report, it doesn’t appear that this style of threat reuse will stop anytime soon. In fact, experts forecast that familiar infection techniques like those used to spread email and web-based spam will resurface in connection with the fake news triangle.

“From spear-phishing emails sent to foreign ministries to the blatant use of documents to discredit authorities, dubious content can spread freely and spark forceful opinions or even real protests,” the 2018 Security Predictions Report stated. “Manipulated political campaigns will continue to mount smear tactics and deliberately shift public perception, as allowed by the tools and services readily available in underground marketplaces. It is likely that the upcoming Swedish general election will not be exempt from attempts to influence the voting outcome through fake news.”

This makes hackers’ capabilities even more potentially damaging than before. Because threats are now available on underground marketplaces, hackers no longer need specific coding skills – they can simply purchase a pre-built threat and reuse it with minor modifications to reduce the chances of detection.

Digital magnifying glass over digital background of 0s and 1s. New threats built using the capabilities of old infections create dangerous malware samples.

Protecting against new and old threats

Because new threats will continue to reuse previously established tactics, it’s important that organizations take the proper steps to protect their brands, their technological investments and their critical data:

  • Use multi-layered security: There should be several protection systems standing in between the company IT assets and a malicious, unauthorized user.
  • Limit automatic capabilities: As Dimitrova noted, it can be helpful to limit or even disable certain automatic system capabilities, and instead implement settings wherein these types of services prompt for admin access before carrying out functions. This will enable more visibility over the activity taking place on individual machines and across the network.
  • Make sure patches are in place: Older exploits typically succeed because systems aren’t patched quickly enough for known vulnerabilities. When an update is released, it’s best that the patch is put in place as soon as possible.
  • Educate about current threats: It’s imperative that users and stakeholders across the company are educated about current top threats. Employees themselves can provide an extra layer of security, helping to prevent tried-and-true tactics like phishing and social engineering from impacting the organization.

To find out more, connect with the experts at Trend Micro today.

Related posts:

  1. Malware: 1 million new threats emerging daily
  2. You Can Recycle Your Cell Phone at the Mall and Get Cash
  3. This Week in Security News: Instagram Hackers and Enterprise Threats
  4. How Hackers Are Leveraging Machine Learning

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Advanced Cloud-Native Container Security Added to Trend Micro's Cloud One Services Platform
  • Trend Micro Goes Global to Find Entrepreneurs Set to Unlock the Smart Connected World
  • Winners of Trend Micro Global Capture the Flag Demonstrate Excellence in Cybersecurity
  • Companies Leveraging AWS Well-Architected Reviews Now Benefit from Security Innovations from Trend Micro
  • Trend Micro Announces World's First Cloud-Native File Storage Security
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.