Trend Micro today announced a massive 55% increase in overall threat detections in 2022 and a 242% surge in blocked malicious files, as threat actors indiscriminately targeted consumers and organizations across all sectors.
The roundup report reveals several interesting trends for 2022 and beyond:
The top three MITRE ATT&CK techniques show us that threat actors are gaining initial access through remote services, then expanding their footprint within the environment through credential dumping to utilize valid accounts.
An 86% increase in backdoor malware detections reveals threat actors trying to maintain their presence inside networks for a future attack. These backdoors primarily targeted web server platform vulnerabilities.
A record number of Zero Day Initiative (ZDI) advisories (1,706) for the third year in a row is the result of a rapidly expanding corporate attack surface and researcher investment in automated analysis tools, which are finding more bugs. The number of critical vulnerabilities doubled in 2022. Two out of the top three CVEs reported in 2022 were related to Log4j.
The ZDI observed an increase in failed patches and confusing advisories, adding extra time and money to corporate remediation efforts and exposing organizations to unnecessary cyber risk.
Webshells were the top-detected malware of the year, surging 103% on 2021 figures. Emotet detections were second after undergoing something of a resurgence. LockBit and BlackCat were the top ransomware families of 2022.
Ransomware groups rebranded and diversified in a bid to address declining profits. In the future, we expect these groups to move into adjacent areas that monetize initial access, such as stock fraud, business email compromise (BEC), money laundering, and cryptocurrency theft.
Trend Micro recommends that organizations adopt a platform-based approach to managing the cyber-attack surface, mitigate security skills shortages and coverage gaps, and minimize the costs associated with point solutions. This should cover the following:
- Asset management. Examine assets and determine their criticality, any potential vulnerabilities, the level of threat activity, and how much threat intelligence is being gathered from the asset.
- Cloud security. Ensure that cloud infrastructure is configured with security in mind to prevent attackers from capitalizing on known gaps and vulnerabilities.
- Proper security protocols. Prioritize updating software as soon as possible to minimize the exploitation of vulnerabilities. Options such as virtual patching can help organizations until vendors provide official security updates.
- Attack surface visibility. Monitor disparate technologies and networks within the organization, as well as any security system that protects them. It may be difficult to correlate different data points from siloed sources.
To read a full copy of the report, Rethinking Tactics: 2022 Annual Cybersecurity Report, please click here.
* It covers endpoints (Android & iOS, IoT, IIoT, PCs, Macs, Linux, servers), email, web and network layers, OT networks, cloud, home networks, vulnerabilities, consumers, businesses, and governments globally.
HYAS issues POC of BlackMamba AI-based polymorphic malware
Posted in Commentary with tags HYAS on March 7, 2023 by itnerdTo illustrate what AI-based malware is capable of, the team at HYAS Labs has just released a proof of concept (PoC) exploiting a large language model to synthesize polymorphic keylogger functionality on-the-fly, dynamically modifying the benign code at runtime — all without any command-and-control infrastructure to deliver or verify the malicious keylogger functionality. The POC and results are published in the HYAS blog post BlackMamba: Using AI to Generate Polymorphic Malware and whitepaper “HYAS Labs Threat Intelligence: BlackMamba AI-Synthesized, Polymorphic Keylogger with On-the-Fly Program Modification.”
To create the POC, HYAS researchers united two seemingly disparate concepts:
a) eliminating the command and control (C2) channel by using malware that could be equipped with intelligent automation and could push-back any attacker-bound data through some benign communication channel, and
b) leveraging AI code generative techniques that could synthesize new malware variants, changing the code such that it can evade detection algorithms.
BlackMamba utilizes a benign executable that reaches out to a high-reputation API (OpenAI) at runtime, so it can return synthesized, malicious code needed to steal an infected user’s keystrokes. It then executes the dynamically generated code within the context of the benign program using Python’s exec() function, with the malicious polymorphic portion remaining totally in-memory. Every time BlackMamba executes, it re-synthesizes its keylogging capability, making the malicious component of this malware truly polymorphic. BlackMamba was tested against an industry leading EDR which will remain nameless, many times, resulting in zero alerts or detections.
Once a device is infected, BlackMamba uses MS Teams. Using its built-in keylogging ability, BlackMamba can collect sensitive information, such as usernames, passwords, credit card numbers, and other personal or confidential data that a user types into their device. Once this data is captured, the malware uses MS Teams webhook to send the collected data to the malicious Teams channel, where it can be analyzed, sold on the dark web, or used for other nefarious purposes.
Delivery uses auto-py-to-exe, an open-source Python package that lets developers convert Python scripts into standalone executable files that can be run on Windows, macOS, and Linux operating systems. As the HYAS blog notes: “The threats posed by this new breed of malware are very real. By eliminating C2 communication and generating new, unique code at runtime, malware like BlackMamba is virtually undetectable by today’s predictive security solutions.”
The HYAS BlackMamba Blog and the full whitepaper are linked here.
UPDATE: I have two comments on this. The first is from Matt Mullins, Senior Security Researcher at Cybrary
“The BlackMamba sample is very interesting due to its integration of ChatGPT to “prompt hack” as part of its initial payload. The malware sends a prompt to ChatGPT, then using that returned information as part of the python code (the exec function) creates the code, which is then injected and subsequently communicates back via teams webhook. This is a very simple yet very advanced piece of malware because it flies under most detection radars by simply using the same applications that users would (either out of curiosity or by job necessity).
“The article says that it doesn’t have a C2, but technically it is using teams for the communication so what (in my opinion) would be a better term is the use of high reputation servers for the “C2” comms (Teams and the Microsoft infrastructure). This strategy isn’t entirely new as it has been used before with things like CDNs to bypass filters. Teams has been adopted by a large number of organizations, and also has a couple of issues beyond this that should warrant a serious conversation about its viability as a secure communications channel.
“The BlackMamba malware is thoughtfully crafted, simple, and elegant. Thus it passes the sniff test of “KISS” or keep-it-simple-stupid when it comes to engineering. The creative use of ChatGPT with the injection code, along with the use of Teams, creates a really great 1-2 punch for bypassing most EDR and detections (human and machine based) as it allows the malware to “swim with the people.” This is a gold-standard for good OpSec, typically.”
Morten Gammelgaard, EMEA, co-founder of BullWall follows up with this:
“Truly unnerving. AI controlled Polymorphic malware without the need of command & control. This is a slam dunk – preventative measures will never be able to keep up and therefore will continue to be less and less effective.
“This particular approach is one example of how the malware never looks the same (the AI regenerates it on each attack) so defenders cannot establish a model to defend against as they now do with known attack methods. The “keystroke” example here takes a common approach to how credentials are stolen and then used for access and shows how that approach can be made much more effective, ie: bypass defenses. Not to mention that this approach did not even require a dedicated C2 server that could be tracked.
“Also, Polymorphic viruses historically rely on mutation engines to alter their decryption routines. If publicly available AI engines enable script kiddies to create these viruses, that’s a real problem.
“When stealing system specific credentials becomes easy, then access and lateral movement is easy and Bam! they have your data. At that point how they harm you is almost moot. Data theft and ransomware are a popular abuses when that happens. So yeah, easier access is a very big deal.”
Leave a comment »