Surge in Volumes of Hunter-Killer Malware Observed

The Picus Security annual report reveals a significant increase in specialised hunter-killer malware that can identify and disable key cyber security tools. This surge in volume demonstrates a shift in threat actors’ ability to neutralize enterprise defenses. The malware is designed to evade security tools and actively bring them down, similar to hunter-killer submarines. Previously, it was rare for adversaries to disable security controls, but now this behavior is seen in a quarter of malware samples and is used by ransomware and APT groups. The use of hunter-killer malware has become the third most observed technique in 2023 according to Mitre ATT&CK. The report also highlights the repurposing of cyber security utilities as malicious tools, with examples such as the LockBit ransomware crew turning Kaspersky’s TDSSKiller anti-rootkit utility into a weapon. The surge in this type of malware reflects a wider trend of threat actors optimizing their chances of successful attacks by evading cyber defenses. About 70% of malware now employs stealth techniques to evade detection, and there has been a doubling in the use of obfuscated files or information. Detecting if an attack has disabled or reconfigured security tools can be challenging, highlighting the importance of multiple security controls and proactive security validation. The report also lists the most commonly observed Mitre ATT&CK tactics, techniques, and procedures (TTPs). To combat hunter-killer malware, organizations are advised to validate their defenses against the Mitre ATT&CK framework and consider using machine learning as an assistant.

Unlock your business potential with our expert guidance. Get in touch now!