Analyzing Tactics and Developmental Trends of Open Source Malware: The Unstoppable Rise of Crypto Mining and Double Extortion Ransomware
In August of 2021, I began a student research project–Analyzing Tactics and Developmental Trends of Open Source Malware–under Dr. Amit Ray at Rochester Institute of Technology. This article examines the results collected through analyzing publicly available malware samples, historical threats, and previous publications.
Malware authors are often secretive for anonymization, maximizing profits, and extending the duration of unlawfully accessing information with exploits. Despite this, malware breaches occur, and security researchers often publish exploits for bounties or educational purposes. Open source malware enables professionals to protect against attacks by analyzing threats, patching vulnerabilities, and testing networks. Additionally, it allows malware development by improving features, speed, and reach (e.g., creating add-ons and new, separate programs).
There are many platforms used to explore, share, and develop malware. GitHub, Exploit Database, and Malware Bazaar are three platforms used in this research. Two developmental trends increasing during 2021 include crypto miners and attack-end graphical user interfaces (GUIs) for pre-existing exploits. Crypto miners are usually developed for cryptojacking, illegally using electronics to mine cryptocurrencies.
Malware with attack-end GUIs primarily increased through Ransomware as a Service (RaaS), which operates similarly to subscription-based services for streaming and shopping. Although most RaaS programs are not open source, samples and information released by researchers and RaaS providers display GUIs for malware deployment, allowing less-technical users to deploy malware.
Malware is classified into families by grouping tactics and characteristics. One prominent family is ransomware, which can include a dangerous tactic, double extortion, that renders infected systems unusable and publicly releases private information if targets do not obey the attacker. The most prominent double-extortion malware was Netwalker, which reportedly infected 113 organizations globally in 2020.
Unfortunately, it was impossible to reach a conclusion from Netwalker due to an insufficient amount of malware samples. The most effective ransomware analyzed in my research was REvil (or Sodinokibi), which consisted of 20% of Palo Alto’s infection prevalence detections for early 2021. REvil analyzes, exploits, and moves about its target using open source tools like Bloodhound, netscan, and arsenal kits, including modified versions of Cobalt Strike BEACON. In 2021, new initial compromise methods include using RDP with compromised credentials, installing QakBot through malicious email attachments, exploiting SonicWall through CVE-2021-20016, and utilizing vulnerabilities–CVE-2021-27065 and CVE-2021-26855–to access Exchange servers.
In conclusion, the analysis of tactics and developmental trends in open source malware shows increased usage of crypto miners, GUIs through RaaS, and double extortion ransomware like REvil. These trends may correlate to an upsurge in non-technical attackers, increasing attacks globally due to the lowered technical bar. However, additional sample analysis and collective, open source research like Malware Map are necessary for more accurate predictions of upcoming trends.
This research began as an independent study approved by RIT’s Honors Program. You can view the initial project outline here. I also provided my abstract and honors proposal for this project below the main article.
Looking back, my proposal aspires to more than my small research project could have ever delivered, but I didn’t know enough to determine what was realistic.
I am glad I had the opportunity to learn.
Media coverage often highlights malware developed in secret by state actors and advanced persistent threats. However, this coverage does not provide the whole picture, ignoring the abundant amount of Free and or Open-Source (FOSS) malware developed by these groups. By analyzing FOSS malware techniques, developers, and communities, significant trends are apparent across attacks.
This research highlights the importance of FOSS in malware and cybersecurity, including things like documentation and collaboration. It examines the social workings and economic development behind successful FOSS malware projects and communities. The goal of the research is to provide students, university faculty, and organizations with quality FOSS malware analysis to assist in vulnerability mitigation. This complex study of FOSS malware trends explores historical threats and enables future cybersecurity leaders to learn from historical failures. Research methods include extensive reading and analysis of published research, malware, journal articles, statistics, threat databases like MITRE ATT&CK, and press articles on security threats and mitigations.
Initial project outline
This course charts the development of the free culture movement by examining the changing relationship between authorship and cultural production based on a variety of factors: law, culture, commerce and technology. In particular, we will examine the rise of the concept of the individual author during the last three centuries. Using a variety of historical and theoretical readings, we will note how law and commerce have come to shape the prevailing cultural norms surrounding authorship, while also examining lesser known models of collaborative and distributed authoring practices.
This background will inform our study of the rapid social transformations wrought by media technologies in the last two centuries, culminating with the challenges and opportunities brought forth by digital media, mobile communications and networked computing. Students will learn about the role of software in highlighting changing authorship practices, facilitating new business and economic models and providing a foundation for conceiving of open source, open access, participatory, peer-to-peer and Free (as in speech, not beer) cultures. The lecture instructor and advisor for this project is Dr. Amit Ray.
FOSS is software that allows the user to use, read, edit, and redistribute the software’s source code. The concept of FOSS was popularized in the 1980s by Richard M. Stallman, a professor at Massachusetts Institute of Technology.
Many organizations and projects use different definitions of Free Software, or use the ambiguous term, “Open Source,” which creates inconsistency and interferes with the productivity in FOSS and Open Source communities. Additionally, FOSS is shrouded in controversy because of infighting and politically motivated licensing practices. Despite these obstacles, many FOSS communities are vibrant and thriving.
Notable FOSS projects include the Linux kernel, many BSD and Linux operating systems, MySQL database, and the Apache web server. The FOSS community is relevant today because of libre and privacy activists, passionate software developers, and a growing need for information transparency.
In this Honors option, I will use the readings in ENGL-450 to write articles on FOSS malware tactics, development, communities, and implementation. The articles will highlight the importance of FOSS in malware and cybersecurity, including things like documentation and collaboration. In addition, some articles will examine the social workings and economic development behind successful FOSS malware projects and communities.
My goal is to provide students, faculty, and other interested parties with quality FOSS malware analysis to improve the development and understanding of FOSS at Rochester Institute of Technology.
This project will enhance my understanding of malware, FOSS, and the social and economic traits of FOSS malware projects. I will learn about the historical and social context of FOSS issues, and highlight their relevance in my research. This independent research project will help me become a better FOSS malware developer, help future students interested in FOSS malware, and assist the faculty interested in studying FOSS malware.
I will use the course’s weekly readings and assignments to write articles focused on open-source malware and open-source cybersecurity. The finished articles will be submitted to online news publications.
Near the end of the semester, I will create a presentation on the trends in open-source malware. I will present it to the class and to RITSEC. I will also submit this presentation to cybersecurity conferences although there is no guarantee I will be selected to present. The long-form version of my presentation will be around fifty minutes and will include a question and answer session.
Dr. Amit Ray is an Associate Professor in the Department of English at RIT. He received his Ph.D. from the University of Michigan, Ann Arbor, in Postcolonial Studies. Dr. Ray is co-author of RIT’s minor and immersion in Free and Open Source Software and Culture. He has taught a course on Open and Closed Source cultures for the last decade. His current interests lie in examining power, corruption, and the digital divide on computational platforms like Facebook and Wikipedia.
Originally published on 5 April 2022.