Catch Me If You Can: The Changing Faces of Malware
- The reappearance of malware variants shows how platform criminality is enabling hackers to teach old code new tricks
- The security industry and authorities need to work together to understand how platforms are being used to resurrect malware
New malware is constantly emerging into the ever-growing threat landscape, and the diversity and number of attacks that organizations need to defend against are multiplying. But “new” malware is very rarely new. As detailed by my report on the Web of Profit, platform criminality — the development of criminal platforms and marketplaces which mirrors their legitimate counterparts — has created a vast economy that makes it dangerously easy to share both code and knowledge. Innovation in cybercrime is becoming too fast for authorities to keep up, and a Catch Me If You Can scenario has emerged. Instead of starting from scratch, hackers are taking old malware and giving it a new face, or new technique, to help breach security.
The many faces of malware
Much like the con artist Frank Abagnale, whose story inspired the 2002 movie “Catch Me If You Can,” malware can continue to reappear, donning new disguises and pseudonyms. A great example of this is McAfee’s report on the discovery of OceanSalt, which reused the SeaSalt code from 2010. The original creators gained infamy after executing a series of successful attacks on more than 100 US companies, but the group went dark in 2013 after being exposed. The reappearance of the code does not necessarily mean the group is back, but it demonstrates that malware can long outlive its creators and be repurposed for new attacks.
Platform criminality is aiding this cycle of innovation, helping to create “new” versions of old malware in rapid succession. Authorities have barely defeated one threat before another pops up. Authorities and organizations must stop firefighting each attack as it arises. Instead, they must work towards understanding the nature of cybercrime in its entirety and look at the origins of attacks.
Platform criminality fuels innovation
A crucial step in understanding cybercrime is recognizing that it is a sophisticated market modeled from legitimate online platforms and marketplaces. Just as items can be bought and sold online at a click of a button, so can malware. Buying malicious code on illicit online marketplaces can cost relatively little. The average malware exploit kit costs as little as $200. Compared with the monetary gain that can be made from just one attack, it’s clear that the return far outweighs the cost.
There are also plenty of forums that share this knowledge, either on the Dark Web or sites like Reddit. These forums provide a community for hackers to discuss malware and attack techniques. Essentially, these can act as a training ground for hackers, providing a catalyst for the creation of new attacks. Platform criminality is enabling both innovation and collaboration, allowing malware to be continually reinvented, and this is never going to slow down.
Knowledge is power
The sophisticated nature of platform criminality has created an environment where hackers can easily buy, sell and repurpose malicious code. This has created a way for malware to be immortalized and returned to terrorise organizations. If we’re going to hold our ground against cyber attacks, then we must transform our approach. Organizations, the security industry and authorities need to work together to understand the online platforms that allow criminal innovation to be so easy. Fighting each individual attack as it arises does nothing for the long-term battle against cybercrime. For any real impact, we need to disrupt the platforms that facilitate success. Only when we have a full understanding of the nature of these platforms can we begin to disrupt them and close in on the elusive digital Frank Abagnales of the cybercrime world.
To learn more about platform criminality, download the Into the Web of Profit report here.