Teacher
Professional
- Messages
- 2,669
- Reaction score
- 819
- Points
- 113
Positive Technologies experts analyzed the most famous families of rootkits over the past 10 years - programs that hide the presence of malicious software or traces of intruders in the system. The study found that 77% of rootkits are used by cybercriminals for espionage.
Rootkits are not the most common malware. Rootkit detections tend to refer to high-profile attacks with resonant consequences - often these utilities are part of multifunctional malware that intercepts network traffic, spies on users, steals authentication information, or uses victims' resources to carry out DDoS attacks. The most famous case of using a rootkit in attacks is the Stuxnet malware distribution campaign, the main goal of which was to halt the development of Iran's nuclear program.
Positive Technologies analysts have conducted a large-scale study of rootkits used by cybercriminals over the past ten years, starting in 2011. According to the data obtained, in 44% of cases, attackers used rootkits in attacks on government agencies. Slightly less frequently (38% of cases), these malware were used to attack research institutes. Experts associate the choice of these targets with the main motive of cybercriminals distributing rootkits - obtaining data. Thus, the information processed by these organizations is of great value to cybercriminals. According to the survey, the top 5 industries most attacked by rootkits also include telecom (25%), industry (19%) and financial institutions (19%). In addition, more than half of rootkits (56%) are used by hackers to attack individuals.
“Rootkits, especially those operating in kernel mode, are very difficult to develop, so they are used either by highly qualified APT groups that have the skills to develop such a tool, or by groups whose financial capabilities allow buying rootkits in the shadow market, ”Explains Yana Yurakova, an analyst at Positive Technologies ... - The main goal of attackers of this level is cyber espionage and data acquisition. These can be both financially motivated criminals who steal large sums of money, and groups that extract information and perform destructive actions in the victim's infrastructure in the interests of customers."
The analysis showed that the investigated families of rootkits were used by cybercriminals to obtain data in 77% of cases, in about a third of cases (31%) for financial gain, and only in 15% of attacks, experts noted the motive of exploiting the infrastructure of the victim company to carry out subsequent attacks.
According to a report by Positive Technologies, advertisements for the sale of user-level rootkits dominate on shadow forums - they are commonly used in mass attacks. According to the company's experts, the cost of a ready-made rootkit varies from $ 45 to $ 100,000 and depends on the operating mode, target OS, conditions of use (for example, the malware can be rented for a month) and additional functions (most often they request remote access and hiding files, processes and network activity). In some cases, the developers offer customization of the rootkit for the needs of the customer and provide service support. It is worth noting that 67% of advertisements included a requirement that the rootkit should be "sharpened" for Windows. This correlates with the results of the study: the share of such samples in the malware sample,
“Despite the difficulties in developing these malicious programs, every year we see the emergence of new versions of rootkits, whose mechanism of operation differs from the already known malware. This suggests that cybercriminals continue to develop tools to mask malicious activity and constantly come up with new techniques for bypassing protection tools - a new version of Windows appears, and malware developers immediately create rootkits targeted at it, - says Alexey Vishnyakov, head of the detection department malware from the Positive Technologies Security Expert Center. - We expect that rootkits will continue to use well-prepared APT groups, which means that it is no longer just about compromising data and extracting financial benefits, but about hiding complex targeted attacks, which may result in the implementation of events that are unacceptable for organizations - from incapacitation. KII facilities, such as nuclear power plants, thermal power plants and power grids, to man-made disasters caused by accidents at industrial enterprises, and cases of political espionage."
