Hackers are increasingly deploying “ultra-evasive, highly aggressive” malware with the ability to find and shut down enterprise security tools in compromised systems, allowing the bad actor to go undetected longer, according to researchers with Picus Security.

In its Picus Red Report 2024, the security validation firm said there was a 333% year-over-year increase in such malware in 2023, with researchers seeing the prevalence of such “hunter-killer” malware in the 667,401 files they analyzed – 92% of which were deemed malicious – jumping from 6% in 2022 to 26% last year.

“We are witnessing a surge in ultra-evasive, highly aggressive malware which shares the characteristics of hunter-killer submarines,” Suleyman Ozarslan, Picus co-founder and vice president of Picus Labs, said in a statement. “Just as these subs move silently through deep waters and launch devastating attacks to defeat their targets’ defenses, new malware is designed to not only evade security tools but actively bring them down.”

Ozarslan said that cybercriminals likely are shifting to this tactic in response to businesses improving their cyber-defenses with tools that better able to detect threats.

“A year ago, it was relatively rare for adversaries to disable security controls,” he said. “Now this behavior is seen in a quarter of malware samples and is used by virtually every ransomware group and APT group.”

It Goes Beyond Simple Evasion

The trend is about more than evasion, according to the researchers. These malware strains proactively seek out and disable security defenses, including firewalls, logging services, and audit systems within compromised systems. Like a pre-emptive strike from a submarine, the malware looks to shut down the defenses before an alert is sounds, which allows it to stealthily continue to exploit the system and better control the compromised IT environment.

“The identification of ‘Hunter-killer’ malware represents a considerable escalation in cyber threats,” they wrote in the report. “These sophisticated malware execute comprehensive attack campaigns by blending covert operations with aggressive assaults on security controls – posing a high-level challenge to organizational cyber defense efforts.”

There also were other indicators of bad actors using tactics for getting around security measures. About 70% of the malware analyzed using stealth-oriented techniques – particularly for evasion and maintaining persistence in networks – and a 150% increase in the use of obfuscated files or information to hinder security solutions and cover their activities.

Repurposing Legitimate Tools

The researchers also pointed to a related evolution in some malware to repurposing security tools and using them in their attacks. In one example, cybersecurity firm Sangfor Technologies in July 2023 reported that the LockBit ransomware group was abusing Kaspersky’s TDSSKiller anti-rootkit tool, loading it onto compromised systems before infecting them with the ransomware and encrypting files.

TDSSKiller is a legitimate and free product from Kaspersky designed to detect and remove rootkits and also can disable malicious processes through command prompt execution, the Sangfor analysts wrote. However, it was unclear exactly how Kaspersky’s tool was being used in the LockBit attack.

In a report last summer, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) wrote about LockBit’s use of freeware and open source tools in attacks. Most intrusions by LockBit and its affiliates included the use of PowerShell and batch scripts, CISA wrote, though it listed more than three dozen other legitimate security products that the attackers have abused.

“When repurposed by LockBit, these tools are then used for a range of malicious cyber activity, such as network reconnaissance, remote access and tunneling, credential dumping, and file exfiltration,” the agencies wrote.

Picus researchers pointed to other instances, noting that “Earth Longzhi exploited Zemana Antimalware’s driver, and the AuKill malware abused Microsoft’s Process Explorer to disable endpoint defenses like Windows Defender and other AV and EDR solutions.”

There are steps organizations can take to guard against hunter-killer malware, including using behavioral analysis and machine learning techniques to better position defense in anticipation of such threats, tighten security around credentials, and use security validation tools, which will test their security posture and determine how ready they are to push back against the malware, according to Picus researchers.