Malware variants in 2021: Harder to detect and respond to

Picus Security announced the release of its report which is a comprehensive analysis of attacker behavior and highlights the top 10 most widely seen attack techniques over the last 12 months.

In compiling its research, more than 200,000 malware samples were analyzed to identify the behaviors they exhibit. In total, researchers observed 2.2 million malicious actions, which they mapped to the MITRE ATT&CK framework, a widely used knowledge base of adversary tactics and techniques.

The report’s 2021 top ten list of the most common ATT&CK techniques demonstrates how cybercriminals have shifted towards ransomware over the last 12 months. In addition to being more likely to encrypt a target’s data, it shows that malware variants in 2021 are increasingly sophisticated and evasive, making it harder to detect and respond to them.

Malware variants evolving in 2021

• Malware is rapidly becoming more sophisticated. In 2020, on average, 9 malicious actions were exhibited by a single malware file, a figure which has risen to 11 actions per file in 2021.
• 2021 has seen a spike in malicious malware designed to encrypt a target’s data. The ATT&CK technique ‘Data Encrypted for Impact’ enters the report’s top ten for the first time, with one in five malware variants now able to encrypt files.
• Five of the top ten techniques observed are categorized under ATT&CK’s “Defense Evasion” tactic. Two thirds of malware files include at least one such technique, underlining attackers’ determination to avoid detection.
• 5% of malware files analyzed in the report exhibit virtualization/sandbox evasion tactics. These malware variants can change their behavior in a virtual machine environment (VME) or sandbox, which helps them evade detection and analysis.
• ‘Command and Scripting Interpreter’ is the most prevalent ATT&CK technique observed, exhibited by a quarter of all malware samples analyzed. This demonstrates the extent to which attackers are abusing legitimate applications like PowerShell to execute their commands, rather than creating custom tools.

The analysis of hundreds of thousands of real-world threat samples were collected from a wide variety of sources, including commercial and open-source threat intelligence services, security vendors, researchers, malware sandboxes, and forums.

“Variant has become a word that strikes panic into most people, but security teams have been concerned by the threat of new malware variants for years,” said Dr Süleyman Özarslan, VP of Picus Security and Picus Labs.

“The 2021 Red Report top ten highlights the proliferation of ransomware and the extent to which attackers continue to vary their approach, including using defense evasion and other sophisticated techniques to achieve their objectives.”

“Only by adopting a threat-centric approach can organizations fully understand how prepared they are to defend against the most common attack techniques and develop the capabilities needed to prevent, detect and respond to them continuously.”