Freely subscribe to our NEWSLETTER

Rootkits are not the most common type of malware. Rootkit detections tend to be associated with high-profile attacks having high-impact consequences—often these tools form part of multifunctional malware that intercepts network traffic, spies on users, steals login credentials, or hijacks resources to carry out DDoS attacks. The most famous application of a rootkit in an attack was the Stuxnet campaign, which targeted Iran’s nuclear program.

Positive Technologies carried out a large-scale study of rootkits used by hacker groups over the past decade, starting in 2011. The results show that in 44% of cases, cybercriminals used rootkits to attack government agencies. Slightly less frequently (38%), rootkits were used to attack research institutes. Experts link the choice of targets to the main motive of rootkit distributors: Data harvesting. The information handled by government and research organizations is of great value to cybercriminals. According to the study, the top 5 industries most attacked by rootkits also include telecommunications (25%), manufacturing (19%), and financial institutions (19%). In addition, more than half (56%) are used by hackers to attack individuals. These are mainly targeted attacks as part of cyberespionage campaigns against high-ranking officials, diplomats, and employees of victim organizations.

“Rootkits, especially ones that operate in kernel mode , are very difficult to develop, so they are deployed either by sophisticated APT groups that have the skills to develop these tools, or by groups with the financial means to buy rootkits on the gray market,” explains Yana Yurakova, a security analyst at Positive Technologies. “Attackers of this caliber are mainly focused on cyberespionage and data harvesting. They can be either financially motivated criminals looking to steal large sums of money, or groups mining information and damaging the victim’s infrastructure on behalf of a paymaster.”

In 77% of cases, the rootkit families under investigation were used to harvest data, around a third (31%) were motivated by financial gain, and just 15% of attacks sought to exploit the victim company’s infrastructure to carry out subsequent attacks.

The study also finds that dark web forums are dominated by ads selling user-level rootkits , which are commonly used in mass attacks. According to the report, the cost of an off-the-shelf rootkit ranges from $45,000 to $100,000, depending on the operating mode, target Operating System, terms of use (for example, time limits on how long the malware can be rented), and additional features—remote access and concealment of files, processes, and network activity are the most commonly requested. In some cases, developers offer to customize the rootkit for the buyer’s needs and provide support. 67% of ads stated that the rootkit should be "tailored" for Windows. This correlates with the results of the study: Rootkits crafted for Windows systems in the sample group analyzed by Positive Technologies accounted for the lion’s share (69%).

“Despite the difficulties of developing such programs, every year we see the emergence of new versions of rootkits with a different operating mechanism to that of known malware,” said Alexey Vishnyakov, Head of Malware Detection at the Positive Technologies Expert Security Center (PT ESC), which regularly tracks hacker group activity and the emergence of new information security threats. “This indicates that cybercriminals are still developing tools to disguise malicious activity and coming up with new techniques for bypassing security—a new version of Windows appears, and malware developers immediately create rootkits for it. We expect rootkits to carry on being used by well-organized APT groups, which means it’s no longer just about compromising data and extracting financial gain, but about concealing complex targeted attacks that can entail unacceptable consequences for organizations—from disabling critical infrastructure, such as nuclear power stations, thermal power plants, and power grids, to anthropogenic accidents and disasters at industrial enterprises, and political espionage.”

Positive Technologies researchers believe rootkits will continue to be developed and used by cybercriminals, and in fact, PT ESC specialists have identified the emergence of new versions of rootkits, indicating that attackers continue to invent new techniques to bypass protection. A criminal’s advantages for using rootkits – executing code in privileged mode, being able to hide from security tools, and remaining online for long periods of time – are too important for attackers to reject these tools. The main danger of rootkits will continue to be the concealment of complex, targeted attacks until the point of an actual assault or set of events causing damage for the target organization.

To protect your company from rootkit-based attacks, Positive Technologies recommends using endpoint malware detection tools and solutions, such as PT Sandbox, which can identify malware during both installation and operation. A rootkit scanner, system integrity checks, and network traffic analysis for anomalies will also help detect rootkits.