How financial organisations can defend against “Hunter-killer” malware

New attack trends and techniques can arrive in a trickle at first but then suddenly in a flood. That’s certainly the case for hunter-killer malware – ultra-evasive, highly aggressive malware which shares similar characteristics to the hunter-killer submarines deployed in national defence. 

24 months ago, this kind of malware was the preserve of only the most sophisticated nation- state actors. Now hunter-killer malware is used by almost every cybercriminal group, and presents a major security risk for defenders. Thankfully though, there are ways for financial organisations to mitigate its impact. Below is an overview of why hunter-killer malware has emerged to prominence and how to turn the tables so that the hunted can become the hunter. 

What is hunter-killer malware?

Hunter-killer subs are manufactured to move silently through deep waters and neutralise  their targets’ defences. Likewise, new malware samples are being designed to not only evade security tools effectively but actively bring them down. 

It’s easy to understand the allure of using hunter-killer malware and adopting such a pre-emptive strike. Adversaries want to disable their targets’ defences before they can alert security teams to their presence. By doing so, they can clear a path for deeper exploration of compromised environments.

As highlighted by Picus Security’s analysis of more than 600,000 malware samples, there has been a drastic shift in adversaries’ ability to identify and neutralize enterprise defenses such as next-gen firewalls, antivirus, and EDR tools. In 2023, there was a 333% YoY increase in real-world malware samples that had ‘Impair Defenses (T1562)’ capabilities. This is the MITRE ATT&CK technique that adversaries use to target defensive systems in an attempt to disable or weaken them. The behaviour is now seen in a quarter of all malware samples (up from 6% the year before), which means that it is used by virtually every ransomware gang and APT group operating today.

The purpose of hunter-killer malware is not just to be destructive. It is also designed to be as evasive as possible, enabling adversaries to live off the land, hide in legitimate systems, and evade defences beyond just disabling tools. 

We believe that cybercriminals are so dependent on hunter-killer malware in 2024 because the security of average businesses continues to improve. Widely used security tools offer far more advanced capabilities to detect and mitigate threats than ever before that’s it’s no surprise that adversaries have been forced to change tact. Attackers increasingly feel like they need to disable these tools, rather than try to evade them – which is no longer as easy as it once was. 

How to prevent hunter-killer malware 

Cyber security best practice is a continual process of ensuring defences are made more robust and resilient. However, for security teams unfamiliar with the emergence of hunter-killer malware, there are some key steps involved.  

Leverage behaviour-based detection - Evasive attack techniques that seek to evade defences by disguising malicious processes as legitimate ones can be impossible to detect using traditional security controls that use static indicators of compromise. In order to identify sophisticated behaviours more swiftly and reliably, security teams should seek to leverage the latest behaviour-based and AI-driven security tools that can help to baseline regular network activity and alert on deviations.

Enhance asset visibility and governance - Security teams are strongly advised to obtain greater visibility of their assets that comprise their internal and external attack surfaces. Regular audits and contextual data on assets' roles and vulnerabilities can help teams refine their cybersecurity strategy and response. The aim is to ensure that the entirety of the attack surface is consistently managed and kept under close surveillance and doesn’t grow out of control. After all, security teams can only protect what they know. It is also crucial to regularly audit and update allowlisting policies to prevent misuse of native scripting environments and command-line tools. 

While businesses will want to reduce the opportunities for hunter-killer malware to move laterally through networks by hardening policies and permissions, they must be careful not to create a single point of failure in their defences.

Go on the offence - Establishing regular threat hunting protocols is also recommended to identify evasive hunter-killer malware. Security teams can conduct proactive searches for indicators of compromise (IOCs) for impair defense techniques that may otherwise evade traditional detection mechanisms. This approach aims to identify and isolate threats early in the attack chain, reducing the potential impact on the organization. Businesses should also consider utilizing deception technology (honeypots, honey tokens) to detect and study attacker movements that bypass primary defenses.

Validate defenses consistently - One of the best ways to prove that defences are working as intended, is to validate them. The increasing use of defence evasion techniques necessitates that businesses consistently test the effectiveness of their security measures. Security teams should challenge their security controls and processes against the latest ATT&CK techniques and verify that protective measures are enabled and functioning as intended. Such validation can be conducted using automated security assurance platforms that execute simulated attacks and assess the response of EDR, XDR, SIEM, and other defensive systems. This can offer assurance that security tools have not been disabled/modified, and that they are truly effective against complex and dynamic attacks. After all, an unproven defence is a potentially weak defence.

Final thoughts

The surge of hunter-killer malware is a real and present threat. However, by improving awareness of how malware seeks to evade defenses and impair them, security teams can go a long way to taking actionable steps to mitigate the risks and ensure that they become hunters, not only the hunted.