Positive Technologies Report Examines the Evolution and Current Threat of Rootkits

Difficult and Costly to Create, These Malicious Programs That Hide the Presence of Malware Target Governments and Research Institutes, and Are Here to Stay

In a new report, Positive Technologies analyzes this past decade's most infamous 1 families of rootkits—programs that hide the presence of malicious software or traces of intrusion in victim systems. The study finds that the majority of rootkits are used by APT groups or financially motivated criminals whose payouts exceed the costs, the most commonly targeted are government and research institutes, and 77% of rootkits are used by cybercriminals for espionage purposes.

Rootkits are not the most common type of malware. Rootkit detections tend to be associated with high-profile attacks having high-impact consequences—often these tools form part of multifunctional malware that intercepts network traffic, spies on users, steals login credentials, or hijacks resources to carry out DDoS attacks. The most famous application of a rootkit in an attack was the Stuxnet campaign, which targeted Iran's nuclear program.

Positive Technologies carried out a large-scale study of rootkits used by hacker groups over the past decade, starting in 2011. The results show that in 44% of cases, cybercriminals used rootkits to attack government agencies. Slightly less frequently (38%), rootkits were used to attack research institutes. Experts link the choice of targets to the main motive of rootkit distributors: Data harvesting. The information handled by government and research organizations is of great value to cybercriminals. According to the study, the top 5 industries most attacked by rootkits also include telecommunications (25%), manufacturing (19%), and financial institutions (19%). In addition, more than half (56%) are used by hackers to attack individuals. These are mainly targeted attacks as part of cyberespionage campaigns against high-ranking officials, diplomats, and employees of victim organizations.

"Rootkits, especially ones that operate in kernel mode 2, are very difficult to develop, so they are deployed either by sophisticated APT 3 groups that have the skills to develop these tools, or by groups with the financial means to buy rootkits on the gray market," explains Yana Yurakova, a security analyst at Positive Technologies. "Attackers of this caliber are mainly focused on cyberespionage and data harvesting. They can be either financially motivated criminals looking to steal large sums of money, or groups mining information and damaging the victim's infrastructure on behalf of a paymaster."

In 77% of cases, the rootkit families under investigation were used to harvest data, around a third (31%) were motivated by financial gain, and just 15% of attacks sought to exploit the victim company's infrastructure to carry out subsequent attacks.

As found by Positive Technologies, dark web forums 4 are dominated by ads selling user-level rootkits 5, which are commonly used in mass attacks. According to the report, the cost of an off-the-shelf rootkit ranges from $45,000 to $100,000, depending on the operating mode, target Operating System, terms of use (for example, time limits on how long the malware can be rented), and additional features—remote access and concealment of files, processes, and network activity are the most commonly requested. In some cases, developers offer to customize the rootkit for the buyer's needs and provide support. 67% of ads stated that the rootkit should be "tailored" for Windows. This correlates with the results of the study: Rootkits crafted for Windows systems in the sample group analyzed by Positive Technologies accounted for the lion's share (69%).

"Despite the difficulties of developing such programs, every year we see the emergence of new versions of rootkits with a different operating mechanism to that of known malware," says Alexey Vishnyakov, Head of Malware Detection at the Positive Technologies Expert Security Center (PTe-converted-space">  ESC), which regularly tracks hacker group activity and the emergence of new information security threats. "This indicates that cybercriminals are still developing tools to disguise malicious activity and coming up with new techniques for bypassing security—a new version of Windows appears, and malware developers immediately create rootkits for it. We expect rootkits to carry on being used by well-organized APT groups, which means it's no longer just about compromising data and extracting financial gain, but about concealing complex targeted attacks that can entail unacceptable consequences for organizations—from disabling critical infrastructure, such as nuclear power stations, thermal power plants, and power grids, to anthropogenic accidents and disasters at industrial enterprises, and political espionage."

Positive Technologies researchers believe rootkits will continue to be developed and used by cybercriminals, and in fact, PT ESC specialists have identified the emergence of new versions of rootkits, indicating that attackers continue to invent new techniques to bypass protection. A criminal’s advantages for using rootkits – executing code in privileged mode, being able to hide from security tools, and remaining online for long periods of time – are too important for attackers to reject these tools. The main danger of rootkits will continue to be the concealment of complex, targeted attacks until the point of an actual assault or set of events causing damage for the target organization.

To protect your company from rootkit-based attacks, Positive Technologies recommends using endpoint malware detection tools and solutions, such as PT Sandbox, which can identify malware during both installation and operation. A rootkit scanner, system integrity checks, and network traffic analysis for anomalies will also help detect rootkits.

  1. The analysis covered 16 of the best-known rootkit families discovered over the past 10 years.
  2. A type of rootkit with the same privileges as the OS. Developing this malware is complex because any errors in the source code can affect the stability of the system, which will facilitate detection. These rootkits made up 38% of Positive Technologies' sample group.
  3. An advanced persistent threat (APT) attack is a carefully orchestrated multistage cyberattack aimed at a specific industry or specific (usually large) companies. APT attacks are performed by criminal groups (APT groups) consisting of highly skilled people.
  4. The analysis covered ten of the most active Russian- and English-language forums on the dark web where ads for rootkits and jobs for malware developers were posted.
  5. A type of rootkit with the same privileges as most applications, able to intercept system calls and substitute values returned by the API. Their share in the sample group was 31%.