The fourth annual Picus Red Report 2024, published by security validation firm Picus Security, has identified a significant surge in Hunter-killer malware, marking a noticeable shift in cyber attacker strategies. The research revealed a 333% increase in malware that actively targets and disables security measures, reflecting a drastic enhancement in adversaries' capability to attack robust enterprise defences such as next-gen firewalls, antivirus suites, and EDR.

"We are witnessing a surge in ultra-evasive, highly aggressive malware which shares the characteristics of hunter-killer submarines," said Dr. Suleyman Ozarslan, Picus Security Co-founder and VP of Picus Labs. He likened the stealthy navigation of these military vessels through dangerous waters to the way the new malware not only evades detection but actively aims to neutralise defensive software. He attributed the shift in cybercriminal tactics to improved security in average businesses and the increasing sophistication of tools to detect threats.

The research revealed additional key findings. The report shows that 70% of analysed malware now uses stealth-oriented techniques, particularly those that allow malware to elude detection measures and maintain network persistence. There has been a sizeable increase, 150%, in the use of T1027 Obfuscated Files or Information, reflecting a trend towards compromising the effectiveness of security solutions. From the ransomware perspective, there's been a significant rise of 176% in the use of T1071 Application Layer Protocol strategically used to exfiltrate data in double-extortion schemes.

Notably, Picus recommends strategies that leverage machine learning, safeguard user credentials, and consistently validate defences against the latest attacker tactics to combat Hunter-killer malware and stay abreast of emerging threats.

"It can be incredibly difficult to detect if an attack has disabled or reconfigured security tools, because they may still appear to be working as expected," said Huseyin Can YUCEEL, Security Research Lead at Picus Security. He added that preventing attacks requires a multi-layered defence approach and constant security validation. Unless enterprises regularly simulate attacks to measure their response, they won't know their systems have been compromised until it's too late.

The data analysed for the Red Report 2024 was gathered throughout a year when Picus Labs scrutinised 667,401 unique files, of which 92% were categorised as malicious - producing an average of 13 malicious activities per malware. Sources of these files include but are not limited to commercial and open-source threat intelligence services, security vendors and researchers, malware sandboxes, malware databases, and forums. From these files, a total of 7,754,801 actions were extracted, an average of 13 malicious actions per malware. These actions were then mapped to 7,015,759 MITRE ATT&CK techniques, an average of 11 techniques per malware.

To compile the Picus Red Report 2024 Top Ten, Picus Labs researchers determined the number of malicious files that used each technique. They then calculated the percentage of malware in the dataset that utilised that technique. For example, the T1055 Process Injection technique was used in 195,044 (32%) of the 612,080 malicious files analysed.