© 2021 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

Threat actors use costly rootkits to attack governments and research institutes


Rootkits are difficult and costly to create. Therefore, threat actors have been mainly using them to target governments and research institutes over the past decade.

The cybersecurity company Positive Technologies carried out a large-scale study of rootkits used by hacker groups over the last ten years, starting in 2011. Rootkits are programs that hide the presence of malicious software or traces of intrusion in victim systems.

The study also finds that dark web forums 4 are dominated by ads selling user-level rootkits 5 , which are commonly used in mass attacks. The cost of an off-the-shelf rootkit ranges from $45,000 to $100,000, depending on the operating mode, target OS, conditions of use, and additional features.

In some cases, the researchers claim, developers offer to customize the rootkit for the buyer's needs and provide support. Rootkits are usually crafted for Windows systems.

But there are rootkits for any budget. For $100-200, the buyer gets a rootkit for temporary use, meaning it can be used for, say, no more than a month. Rootkits without time limits are more expensive. For example, in 2014, the Kro-nos rootkit, which collects data for access to Internet banking, was sold for $7,000.

As rootkits are pretty expensive, they are most commonly used by advanced persistent threats (APTs) or financially motivated criminals whose payouts exceed the cost. They usually target governments (44% of cases) and research institutes (38%), as the information handled by these institutions is of high value to cybercriminals. 77% of rootkits are used for espionage purposes.

Cybercriminals use social engineering methods, such as sending phishing messages, creating fake websites and applications that mimic legitimate sites.

"Rootkits, especially ones that operate in kernel mode, are very difficult to develop, so they are deployed either by sophisticated APT groups that have the skills to develop these tools or by groups with the financial means to buy rootkits on the gray market," explains Yana Yurakova, a security analyst at Positive Technologies. "Attackers of this caliber are mainly focused on cyberespionage and data harvesting. They can be either financially motivated criminals looking to steal large sums of money, or groups mining information and damaging the victim's infrastructure on behalf of a paymaster."

Rootkits are not the most common type of malware. According to the study, rootkit detections tend to be associated with high-profile attacks having great-impact consequences. Often, these tools form part of multifunctional malware that intercepts network traffic, spies on users, steals login credentials, or hijacks resources to carry out DDoS attacks. The most famous rootkit application in an attack was the Stuxnet campaign, which targeted Iran's nuclear program.

Despite the difficulties of developing rootkits, researchers see the emergence of new versions of such programs with a different operating mechanism to that of known malware every year.

"This indicates that cybercriminals are still developing tools to disguise malicious activity and coming up with new techniques for bypassing security — a new version of Windows appears, and malware developers immediately create rootkits for it. We expect rootkits to carry on being used by well-organized APT groups, which means it's no longer just about compromising data and extracting financial gain, but about concealing complex targeted attacks that can entail unacceptable consequences for organizations — from disabling critical infrastructures, such as nuclear power stations, thermal power plants, and power grids, to anthropogenic accidents and disasters at industrial enterprises, and political espionage," Alexey Vishnyakov, Head of Malware Detection at the Positive Technologies Expert Security Center, is quoted in a press release.

Cybercriminals use social engineering methods, such as sending phishing messages, creating fake websites and applications that mimic legitimate sites.


More from CyberNews:

What is a rootkit? How can you protect your device?

Why We Need Hybrid Security for a Hybrid Workforce

A collaborative approach to tackling cybersecurity around the world

Are Organizations Sleepwalking Into A Cybersecurity Crisis?

World’s most-visited websites put visitors at risk by exposing leftover files

Under pressure: how ransomware gangs force victims to pay

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are marked