Skip to main content

Threat actors getting creative with tried-and-tested techniques

cyber security
(Image credit: Image Credit: Sergey Nivens / Shutterstock)

Being a cybercriminal also means being creative, as breaching a network often involves finding new and innovative ways to bypass security protections.

According to a new report from Kaspersky, cybercriminals have demonstrated exceptional creativity in recent months – sometimes using new methods, sometimes putting a fresh spin on tried-and-tested ones.

For example, the firm spotted an unknown actor using a custom bootkit for UEFI, an essential piece of hardware for any modern-day computer. The company says this infection vector was part of a multi-stage framework dubbed MosaicRegressor, which it says was “extremely hard” to remove.

Other criminals used stenography, abusing the Authenticode-signed Windows Defender binary, an integral and approved program for Windows Defender. The company said it spotted these attacks targeting telecom companies in Europe.

One focus most threat actors have in common is making their tools more flexible and harder to detect. The report named the MuddyWater APT group, as well as the Dtrack RAT as notable examples.

On the other hand, some hackers still use low-tech infection chains with great success. "Mercenary group" DeathStalker, for instance, has been using the same methods for almost three years now.

“The widening scope of platforms attacked, continuous work on new infection chains and the use of legitimate services as part of their attack infrastructure, is something we have witnessed over the past quarter,” said Ariel Jungheit, Senior Security Researcher, Global Research and Analysis Team at Kaspersky.

“Overall, what this means for cybersecurity specialists is this: defenders need to invest resources in hunting malicious activity in new, possibly legitimate environments that were scrutinized less in the past. That includes malware that is written in lesser-known programming languages, as well as through legitimate cloud services. Tracking actors’ activities and TTPs allows us to follow as they adapt new techniques and tools, and thereby prepare ourselves to react to new attacks in time.”