In the first half of 2022, we have seen at least one major ransomware that was rewired or built on the code bed of existing malware. Such transformations are now occurring regularly enough to cause alarm among cybersecurity teams and vendors. In the past, Sectrio’s researchers have come across over 17 major malware families that remained potent due to the reengineering and development of variants.
So why are malware developers relying on variants rather than developing entirely new families of malware? The recent instance of Bazarloader transforming into Bumblebee ransomware offers a distinct clue. Bumblebee appeared on the horizon in March and was pushed across cyberspace through unique campaigns by 4 groups. The campaigns involved passing ISO files, Zip, and other archive attachments with malicious .DLL files and execution shortcuts. Some of which were hosted using known public cloud service providers.
The appearance of Bumblebee coincided with the disappearance and fading away of Bazarloader malware. It was then revealed that the Conti group had acquired the operations of the botnet gang that developed Bazarloader. Other than code similarities, Sectrio’s researchers were also able to correlate and see similar patterns of malware promotion campaigns and there was even a 1-1 replacement of conversations involving Bazarloader with Bumblebee on various malware exchange forums.
So why are malware developers and promotors increasingly relying on variants or acquired malware to target businesses than developing new ones? Here are a few reasons:
- At any given point in time, there are many malware developers ready to sell the source codes of their malware for adequate monetary consideration. The payment terms are flexible and attractive. The malware code buyer doesn’t even have to acquire the group as it can pay a ‘royalty’ to the developer for using their code or building on it as the case may be.
- Developing a variant enables malware groups to pump in relatively new malware much faster thereby keeping security teams on alert at all times. This also leads to SOC and detection fatigue which allows bad actors to bring in their malware into the target networks undetected
- It is much cheaper to develop a variant than build a malware ground up. Building an OT or IoT focused malware is a costly proposition as it involves plenty of planning and innovation to by-pass defenses and non-target networks not to mention avoiding detection
- By changing malware codes, the actor can confuse security analysts trying to figure out the origin of the malware
- Newer variants ensure the longevity of bad actors as they continue to remain relevant beyond a few malware development cycles
- We have also seen instances where the source code was picked from a group that was disbanded or based on codes stolen from APT groups or academic labs
- Hackers are becoming more organized
Overall the whole proposition of getting malware ready quickly is very appealing and incentivizes malware groups to go for variants than building fresh malware.
For security teams, the main challenge with malware variants is that they pop up soon and sometimes become difficult to detect because of the new lines of code added. But a bigger challenge is the rapid development and release of these variants which means that in a single calendar year, there could potentially be more attacks and more losses.
So what are the implications of this shrinking malware development trend?
- Faster evolution of more potent malware
- SOC fatigue
- Enterprise risk management efforts will come under added strain
- If this leads to more successful breaches and more ransom payments, cybercrime will pick up and grow rapidly
- Kinetic thresholds could be breached more often and lives threatened at large facilities such as those run by oil and gas and large manufacturing companies
- More data leaks
There are security implications of this trend for enterprises. Thus, we need to continue our investments in keeping cyber threats at bay and preventing them from being successful. Every failed breach is a waste of time, effort, and possibly money as well for the hackers involved. Thus, by increasing the cost of operations, at least some of the hacker groups can be relegated to the fringes or even eased out of the game by cybersecurity teams. This will lead to a reduction in the number of codes available to be passed around for the development of new variants and break the cycle of deceit.
We have entered the last phase of the Sectrio CISO Peer Survey 2022. The survey will be closed for responses in the next two weeks so make sure you participate in this effort to gain insights into the strategies and tactics your peers are using to defend their digital transformation journey.
Participate in the CISO Peer Survey 2022 and make your opinion count now, fill up our uniquely designed survey here: CISO Peer Survey 2022
Book a demo now to see our IT, OT and IoT security solution in action: Request a Demo
Try our threat intelligence feeds for free for the next two weeks.