Positive Technologies analysts have studied rootkits used by hackers in the past ten years

Positive Technologies analysts studied rootkits used hackers past ten years

Positive Technologies experts  analyzed the  most famous rootkit families over the past 10 years.

The researchers note that rootkits are not the most widespread malware, and cases of their detection, as a rule, refer to high-profile attacks with resonant consequences. These tools are often part of powerful malware that intercepts network traffic, spies on users, steals authentication credentials, or uses victim resources to conduct DDoS attacks. The most famous case of using a rootkit in Positive Technologies is called the Stuxnet distribution campaign, the main goal of which in 2010 was to halt the development of Iran’s nuclear program.

Analysts have found that 77% of rootkits are used by criminals for espionage and 44% of cases are used in attacks on government agencies. Slightly less frequently (38% of cases) malware was used to attack research institutes. Experts associate the choice of these targets with the main motive of hackers distributing rootkits – obtaining data.

Rootkit distribution methods according to MITER ATT & CK classification

The information processed by these organizations is of great value to cybercriminals. According to the survey, the top 5 industries most attacked by rootkits also include telecom (25%), industry (19%) and financial institutions (19%). In addition, more than half of rootkits (56%) are used by hackers to attack individuals. These are mainly targeted attacks in the framework of cyber espionage campaigns against high-ranking officials, diplomats and employees of targeted organizations.

“Rootkits, especially those operating in kernel mode, are very difficult to develop, so they are used either by highly qualified APT groups that have the skills to develop such a tool, or by groups whose financial capabilities allow buying rootkits in the shadow market,” explains Yana Yurakova, an analyst at Positive Technologies … – The main goal of attackers of this level is cyber espionage and data acquisition. These can be both financially motivated criminals who steal large sums of money, and groups that extract information and perform destructive actions in the victim’s infrastructure in the interests of customers. “

The analysis showed that in 77% of cases, rootkits were used by cybercriminals to obtain data, in about a third of cases (31%) – to extract financial gain, and only in 15% of attacks, experts noted the motive for exploiting the infrastructure of the victim company for subsequent attacks.

The darknet is dominated by advertisements for the sale of user-level rootkits, which are commonly used in mass attacks. According to experts, the cost of a ready-made rootkit varies from 45 to 100,000 US dollars and depends on the operating mode, target OS, conditions of use (for example, malware can be rented for a month) and additional functions (most often they request remote access and hiding files , processes and network activity).

The ratio of the cost of rootkits on sale

In some cases, the developers offer customization of the rootkit for the needs of the customer and provide service support. It is worth noting that 67% of advertisements included a requirement that the rootkit should be “sharpened” for Windows. This correlates with the results of the study: the share of such samples in the sample of malware studied by Positive Technologies specialists also prevails, amounting to 69%.

Percentage of OS-specific rootkits

Catch up on more stories here

Follow us on Facebook here

Leave a Reply