Mining Malware History for Clues on Malicious Package Innovation
Malware has come a long way since it first made the scene in the late 1990s, with news of viruses infecting random personal computers worldwide. These days, of course, attackers have moved beyond these humble roots. Now they deploy a variety of innovative techniques to extract large amounts of money from businesses around the world.
A similar development is taking place with malware’s upstart cousin – the emergence of malicious packages being uploaded to package registries. We are seeing a similar trajectory here, as malicious actors test new ideas by launching basic techniques indiscriminately at whoever downloads a package.
This made us wonder–what can history teach us? By comparing current malicious package trends with malware’s evolution over the past 20 years, we can predict a likely future direction for malicious packages. We’ll look at three primary areas: attack vectors, malicious techniques, and objectives.
Attack vector trends
There are four basic attack vectors for malicious packages: brandjacking, typosquatting, dependency hijacking, and dependency confusion.
Brandjacking is an activity whereby an attacker acquires or otherwise assumes the online identity of another company or an owner of a package and then inserts a malicious code. It doesn’t necessarily mean he actively steals something, but just takes advantage of an opportunity to take ownership related to the brand name.
In a typosquatting attack, an attacker publishes a malicious package with a similar name to a popular package, in the hope that a developer will misspell a package name and unintentionally fetch the malicious version.
With dependency hijacking, an attacker obtains control of a public repository in order to upload a new malicious version.
Dependency confusion happens when a malicious package in public repositories has the same name as an internal package name. The attacker then uses this so-called feature to trick dependency management tools into downloading the public malicious package rather than the private, non-malicious package.
Brandjacking and typosquatting were the original malicious package attacks, and they remain an integral part of the attack vectors used today. Dependency hijacking and dependency confusion are more recent additions.
There are also four common attack vectors used in malware: informal source usage, vulnerable services, brandjacking, and social engineering. The most commonly used attack vector is informal source usage, which refers to downloading or engaging with a site, company, or product that is clearly not well known nor has enough reputation to back up its legitimacy.
There are similarities between the two:
- Dependency confusion can be considered a vulnerability related to package registries, meaning it is considered as a vulnerable service attack vector. In the future, we’ll see dependency management tools and package registries hurt even more by vulnerable services. Although it is a complex attack vector to exploit, there is a huge potential in it.
- Brandjacking appears on both lists, but is more commonly used with malicious packages than with generic malware. This is due to the obvious potential for attack that exists in package registries and in open source, where many individuals can own or contribute to the same project, and there are minimal verifications of authorization. Since dependency hijacking is very similar to brandjacking, we can add that into this area as well.
- Typosquatting can be considered as informal source usage, because with typosquatting, checking the owner of the package will nearly always reveal that it’s not a reputable source. Typosquatting also shares similarities with the social engineering attack vector. It tries to target users who incorrectly type the package name that they actually want.
Prediction: While they don’t share the same names, we see signs of every attack vector in generic malware being used for malicious packages. And since malicious package attacks are still relatively new, there is potential for increased use of both social engineering and vulnerable services. We expect to see an increase in attacks using these two vectors, both from malicious packages and in package registries themselves.
Malicious techniques
Attackers using malicious packages continue to rely on four common techniques: pre- and post-install scripts, basic evasion techniques, shell commands, and basic network communication techniques. While volume has grown, sophistication has not, although we are starting to see bad actors layer intermediate evasion techniques over basic evasions. A quick comparison shows significant maturation potential for techniques used with malicious packages:
In contrast, malware uses mature and sophisticated techniques to evade defenses, successfully infiltrate, and remain on infected machines, as well as achieving outgoing network traffic and code execution on the infected machine. Moreover, attackers are manipulating vulnerabilities found in other commercial or open source products to achieve better success rate or wider capabilities.
Evasion techniques. Although they exist in malicious packages, such techniques are extremely basic, such as the use of base64 encoding or hex encoding. We are starting to see some code obfuscation and even time delays that try to make it harder for dynamic analysis to detect the malicious activity, but this is still counted as basic or intermediate evasion techniques. Meanwhile, generic malware attackers can choose from a long list of advanced evasion techniques, such as anti-VM, anti-reverse engineering, filesystem and registry queries.
Persistence. Although attackers in malicious packages might be persistent in continually creating more and more malicious packages, they don’t use any persistence techniques on infected machines. Meanwhile, generic malware attackers can draw on extremely complex techniques to stay and keep running on infected machines; some examples are scheduled tasks, shortcut modifications, browser extensions, startup keys, and much more.
Vulnerability exploitation. We haven’t yet seen a malicious package reach this level. On the other hand, generic malware exploits vulnerabilities even after infecting a machine to enhance their capabilities.
The last malicious technique we will analyze is more general, and it refers to the methods used to deploy, execute, and communicate once the attacker has infected the machine. Malicious packages use basic methods to deploy, execute, and communicate on the machine, meaning that even if the package is successfully downloaded to the machine, it remains relatively easy to detect while deployed. On the other hand, we continually see attackers use advanced techniques with generic malware.
Prediction: There are a lot of opportunities for bad actors to refine their use of malicious packages and make them more dangerous. We expect to see more advanced evasion techniques sooner than anybody wants to. Malicious packages will start using persistence techniques. Vulnerability exploitation may lag, as it is not only difficult to develop, but generally useful only under special circumstances — for example, a new easy-to-use vulnerability emerges in a widely available product. Lastly, we expect to see more diverse and advanced approaches rapidly emerge in the general methods of deploy, execute, and communicate.
Objectives
Ransomware and adware are presently considered the most common malware types or malicious objectives for general malware. However, they are almost completely nonexistent in malicious packages.
There are reasons why it might be somewhat difficult to implement these types of malware in dependency management tools or package registries, but they aren’t an absolute limitation. Attackers are starting to understand the potential of creating and deploying this type of malicious package. In the ongoing security cat and mouse game, we know that malicious actors are always motivated to overcome obstacles they might encounter.
When it comes to malicious packages related to cryptocurrency, we’re already seeing malicious packages with cryptominers. A few have tried cryptocurrency stealing, although there is nowhere near the amount of malicious cryptocurrency attacks happening compared to that in generic malware. We will see an increase in the amount of malicious packages focusing on cryptojacking and cryptominers in malicious packages .
While bots have potential and still exist in generic malware, we see very limited numbers of malicious actors creating malicious packages for this intention.
Lastly, let’s discuss stealing private information and reconnaissance in tandem, as there is considerable overlap on the malicious package side. Here again, we have a misleading edge case. At first glance, malicious packages are surpassing generic malware, but it’s a measure of how common the methods are rather than their complexity. The most common objectives for bad actors using malicious packages are stealing private information and reconnaissance, while actors of generic malware have moved beyond these objectives. With that in mind, we might see a decrease in the popularity of reconnaissance, as the incentive for that is much lower than other objectives.
Like any younger sibling, malicious packages are just not as mature as generic malware. We see them lagging by about a decade. This makes sense, given that malicious packages represent a relatively new opportunity and attack surface, and cybercriminals are just starting to grasp their potential.
Watch Elkabes’ full presentation for Linux Security Summit NA.
