Security experts have raised concerns over the rise of ‘hunter-killer malware’, a specific strain of malware that targets security tools on a compromised network and disables them.
The surge in hunter-killer malware was recorded in Picus Security’s Red Report 2024, which analyzed over 600,000 malware samples and 7 million instances of MITRE ATT&CK techniques
The research found the prevalence of hunter-killer malware has grown by 300% over the course of a year, growing from 6% in 2022 to 26% in 2023.
Referring to how this approach got its name, the report described how the attacks blend covert operations with aggressive attacks on security systems.
“Drawing parallels from the stealthy and offensive nature of 'Hunter-killer' submarines, these malware strains evade security measures with precision and proactively seek out and impair security tools, firewalls, logging services, audit systems, and other protective measures within an infected system.”
Each of the four most frequently employed techniques recorded in MITRE ATT&CK in 2023 were aspects of hunter-killer malware. T1055 (process injection), T1059 (command and scripting interpreter), T1562 (impair defenses), and T1082 (system information discovery) can all be used in hunter-killer malware attacks.
Impairing an enterprise's defenses is a key facet of hunter-killer malware attacks, inhibiting the target’s ability to detect the intruders helping hackers maintain access to the network as soon as possible.
The study highlighted an example of an attacker disabling Windows Defender before executing malicious commands and then configuring the firewall to prevent detection and establish communication with their C2 server.
The report also noted a number of recent attacks that use security tools to carry out an aggressive assault on a network. The LockBit ransomware group, for example, was able to use the Kaspersky TDSSKiller anti-rootkit utility to disable endpoint security solutions.
Chinese hacker group Earth Longzhi was also recorded exploiting Zemana Antimalware drivers in recent attacks, with the AuKill malware similarly abusing Microsoft’s Process Explorer to disable Windows Defender and other antivirus and EDR solutions.
Picus Security’s guidance for organizations is to prioritize security validation to consistently test and optimize their ability to prevent, detect, and respond to these sophisticated threats.
Evading detection is a primary focus for threat actors in 2024
Picus Security’s research revealed the overwhelming majority of malware now employs stealth-oriented techniques. It found 70% of the 600,000 malware samples analyzed employed stealth-oriented tactics, particularly those that help evade security tools and maintain persistence in networks.
Find and fix security vulnerabilities in your team’s code before it’s too late
Related tactics involve hindering the efficacy of security solutions and obfuscating the attacks' malicious activities to muddy the waters for security teams trying to conduct forensic analysis and respond to cyber incidents.
For example, the report saw T1027 (obfuscated files) jump in popularity by 150% from 2022 to 2023, with T1055 (process injection) also becoming 45% more prevalent in the same period, from 22% in 2022 to 32% in 2023.
Given the rise of these techniques, particularly process injection, the report’s advice for security teams is to expedite the deployment of advanced threat detection systems leveraging behavioral analysis and machine learning, including EDR, XDR, and SIEM solutions.
“By focusing on the nuances of process behavior, such as unexpected process injections or anomalous parent-child process spawning, teams can detect stealthy attack tactics.”
