Image: Hanna Ferentc, Getty Images/iStockphoto

Rootkits are expensive and complex to build but worth the investment for cybercriminals looking to harvest data, according to a new report. Positive Technologies studied rootkits used by hacker groups over the last 10 years. The most common use case was data harvesting from government agencies and research institutes.

Cybercriminals also use rootkits to target individuals as part of cyberespionage campaigns against high-ranking officials, diplomats and employees of victim organizations.

The analysis found that the top five industries most attacked by rootkits include:

  • Government agencies: 44%
  • Research institutes: 38%
  • Telecommunications: 25%
  • Manufacturing: 19%
  • Financial institutions: 19%

Yana Yurakova, a security analyst at Positive Technologies, said in a press release that criminal groups that use rootkits can be either financially motivated criminals looking to steal large sums of money, or groups mining information and damaging the victim’s infrastructure on behalf of a paymaster.

“Rootkits, especially ones that operate in kernel mode, are very difficult to develop, so they are deployed either by sophisticated APT groups that have the skills to develop these tools, or by groups with the financial means to buy rootkits on the gray market,” Yurakova said.

SEE: How to prepare your team to address a significant security issue

Alexey Vishnyakov, head of malware detection at the Positive Technologies Expert Security Center, said in a press release that cybercriminals are always coming up with new techniques for bypassing security.

“A new version of Windows appears, and malware developers immediately create rootkits for it,” he said.

The report notes that the relatively new Moriya rootkit already provides mechanisms for bypassing the security tools built into the OS, such as checking the mandatory signature of drivers and the PatchGuard module.

Vishnyakov said Positive Technologies expects well-organized APT groups to keep using rootkits.

“This means it’s no longer just about compromising data and extracting financial gain, but about concealing complex targeted attacks that can entail unacceptable consequences for organizations — from disabling critical infrastructure, such as nuclear power stations, thermal power plants and power grids, to anthropogenic accidents and disasters at industrial enterprises,” he said.

The report also notes that rootkits started as kernel-mode malware, but that approach has changed over time. Malware developers have shifted their focus to user-mode rootkits, which are easier to build and require less precision and knowledge. The report authors note:

“…there is no point over-complicating an attack if there is confidence that the defense system is ineffective. If a point of entry to the company is found, and intelligence has shown that the perimeter is weakly protected and there are significant flaws in the security system, it is irrational and excessive to use a kernel-level rootkit, which requires a lot of effort to develop and which can lead to complications.”

Expensive to build, cheap to rent

As part of the report, Positive Technology analysts reviewed 10 of the most popular Russian-language and English-language forums on the Dark Web. They looked for ads selling custom rootkits as well as want ads for hiring malware developers. Windows was the most common target with 67% of purchase announcements looking for a rootkit for that OS.

The report also looked at the cost of building and renting rootkits. A complete custom rootkit ranges from $45,000 to $100,000 but criminals can rent a kit for a month for as little as $200. Most rental fees were between $500 and $5,000, according to the analysis by Positive Technology.

The report authors wrote that bad actors can “find both ready-made variants of malware ‘for any budget,’ as well as developers who will add the code to the target driver, or create a new project…”