Analyzing Tactics and Developmental Trends of Open Source Malware

The Unstoppable Rise of Crypto Mining and Double Extortion Ransomware

Introduction

In August of 2021, I began a research project–Analyzing Tactics and Developmental Trends of Open Source Malware–under Dr. Amit Ray at Rochester Institute of Technology. This article examines the results collected through analyzing publicly available malware samples, historical threats, and previous publications.

Developmental Trends

Malware authors are often secretive for anonymization, maximizing profits, and extending the duration of unlawfully accessing information with exploits. Despite this, malware breaches occur, and security researchers often publish exploits for bounties or educational purposes. Open source malware enables professionals to protect against attacks by analyzing threats, patching vulnerabilities, and testing networks. Additionally, it allows malware development by improving features, speed, and reach (e.g., creating add-ons and new, separate programs).

There are many platforms used to explore, share, and develop malware. GitHub, Exploit Database, and Malware Bazaar are three platforms used in this research. Two developmental trends increasing during 2021 include crypto miners and attack-end graphical user interfaces (GUIs) for pre-existing exploits. Crypto miners are usually developed for cryptojacking, illegally using electronics to mine cryptocurrencies.

Malware with attack-end GUIs primarily increased through Ransomware as a Service (RaaS), which operates similarly to subscription-based services for streaming and shopping. Although most RaaS programs are not open source, samples and information released by researchers and RaaS providers display GUIs for malware deployment, allowing less-technical users to deploy malware.

Trending Tactics

Malware is classified into families by grouping tactics and characteristics. One prominent family is ransomware, which can include a dangerous tactic, double extortion, that renders infected systems unusable and publicly releases private information if targets do not obey the attacker. The most prominent double-extortion malware was Netwalker, which reportedly infected 113 organizations globally in 2020. 

Unfortunately, it was impossible to reach a conclusion from Netwalker due to an insufficient amount of malware samples. The most effective ransomware analyzed in my research was REvil (or Sodinokibi), which consisted of 20% of Palo Alto’s infection prevalence detections for early 2021. REvil analyzes, exploits, and moves about its target using open source tools like Bloodhound, netscan, and arsenal kits, including modified versions of Cobalt Strike BEACON. In 2021, new initial compromise methods include using RDP with compromised credentials, installing QakBot through malicious email attachments, exploiting SonicWall through CVE-2021-20016, and utilizing vulnerabilities–CVE-2021-27065 and CVE-2021-26855–to access Exchange servers.

Conclusion

In conclusion, the analysis of tactics and developmental trends in open source malware shows increased usage of crypto miners, GUIs through RaaS, and double extortion ransomware like REvil. These trends may correlate to an upsurge in non-technical attackers, increasing attacks globally due to the lowered technical bar. However, additional sample analysis and collective, open source research like Malware Map are necessary for more accurate predictions of upcoming trends.