“Commodity Malware” is not the Opposite of Targeted Malware

I really don’t like the term “commodity malware”. It’s not that commodity is necessarily an inaccurate description of a particular piece of malware. And it’s not that knowing whether malware can be purchased or is publicly available is not useful, it’s that just because malware may be characterized as commodity it does not indicate whether or not its being used in a targeted manner.

Over the years numerous publicly available RATs (e.g. PoisonIvy, Gh0st, DarkComet, XtremeRAT etc.) have been used by by emerging cyber-espionage actors (e.g. Syria) as well as long standing ones (e.g. China). This does not preclude these actors from using exclusive, custom malware as well, its just another option for them.

For emerging actors, it may be a cost effective way to jump start cyber-espionage capability and for well-established ones it may be a way to hinder attribution efforts. In either case, there’s a wide variety of options ranging from HackForums to Hacking Team.

Whether malware is available for sale or not doesn’t seem to be the reason why certain malware gets labeled as commodity or not. I don’t recall the malware sold by Hacking Team or FinFisher being routinely described as “commodity” yet exclusive cybercrime operations (e.g. Dridex) are sometimes described as commodity malware. While there may be affiliate relationships, not anyone can just buy such malware.

“Unlike most malware distributors, the Bugat/Dridex enterprise maintains tight control over the Bugat/Dridex malware code and does not appear to sell or distribute it to anyone outside the organization.” https://www.justice.gov/opa/file/783676/download

Sometimes, I think what people really mean when using the term is whether the malware is typically distributed in an indiscriminate or targeted manner, and not whether that malware can be purchased or not.

From a defenders perspective, knowing that certain malware is exclusive to a particular threat group that conducts targeted attacks allows you to prioritize and respond to such incidents quickly. If the malware is used by a variety of actors, some of whom conduct targeted activity and some that engage in indiscriminate activity then it requires an additional assessment to determine what type of actor is most likely involved in any particular case.

But even that is murky.

The most recent incarnation of this blurring of indiscriminate and targeted activity has been exemplified by the use of ransomware deployed after an initial, indiscriminate compromise. In these examples, Trickbot and Dridex compromises are followed by 1) interactive activity leveraging Red team tools (such as Powershell Empire, which are typically not described as ‘commodity”) and 2) the deployment of ransomware (e.g. Ryuk).

Some malware that is freely available, or that can be purchased, is rarely referred to as commodity and some malware that is exclusively used, or tightly controlled within a limited set of actors, is often called commodity. Furthermore, targeted activity can involve freely available malware and indiscriminately distributed malware can quickly turn into targeted activity.

So, I’ll ask again.

Post a comment.