Could Bespoke Malware Target Your Organization?

How safe is your network from unauthorized actors? More and more, hackers are deploying bespoke malware and ephemeral injections to compromise networks in compliance-heavy sectors like financial services, government, healthcare, and technology.  

What is Bespoke Malware?

Bespoke malware is highly targeted and custom-designed malicious software that has been modified to evade traditional detection systems. So, while your typical malware is designed to target as many systems as possible, bespoke attacks are tailored to a specific target. You can think of bespoke attacks as “fishing with a spear” rather than “fishing with a net.” It’s precise, stealthy, and has a specific prey in mind.  

 Sometimes cybercriminals will design bespoke malware to target a specific enterprise. Other times they will go after a particular industry, leveraging the knowledge that organizations within sectors tend to use similar business systems.  

What Does Bespoke Malware Do?

Typically, custom-made malware is stripped of elements that would generally alert security teams to its presence. Cybersecurity teams know when an attacker has infiltrated the network due to something called Indicators of Compromise (IOCs).  

IOCs act as flags the security team uses to detect strange activity that is evidence of network compromise. Some common Indicators of Compromise include unusual outbound network traffic, geographical irregularities (say, login attempts from far away countries), and anomalies in privileged user account activity. But bespoke malware typically doesn’t contain these IOCs or others, making them nearly impossible to detect using traditional security systems.  

Many different types of bespoke malware exist, like bespoke ransomware and others, and the specific actions the malware takes will differ depending on the target. However, custom malware typically aims to access and exfiltrate data that can be sold to other bad actors.  

Ephemeral Malware on the Rise

In addition to bespoke malware, ephemeral malware is rising as the next big thing in advanced malware. Ephemeral malware exists solely in memory and disappears when the infected system is rebooted. But how does ghostly ephemeral malware differ from common malware? After all, doesn’t all malware start in memory? 

Well, while almost all malware starts in memory, this is typically a stepping stone. Most malware wants to establish a permanent foothold on the infected system, becoming persistent, so it can carry on working even after the computer is rebooted.  

By contrast, ephemeral malware, sometimes called Advanced Volatile Threats (AVTs), resides solely in the computer’s random access memory (RAM) or volatile memory but makes no strides to become permanent. This means it’s wiped clear once the system is rebooted, but the malware has a short window to steal data before that happens. And because the malware never becomes persistent, it stays below the radar of conventional anti-malware programs.  

Bespoke Malware in Action

Over recent years we’ve seen a spike in bespoke malware targeting specific industries.  

SamSam ransomware is one such example. SamSam predominantly targeted healthcare organizations and local government organizations within the US. And while SamSam wasn’t the first software that hijacks systems and then demands a ransom, the way it went about this was unique.  

Other ransomware like WannaCry and GandCrab would immediately lock files and demand a ransom after infecting the network. Instead, SamSam quietly infiltrates the network and monitors network and user activity so that it can penetrate deeper into the systems. Once it’s reached as much of the network as possible, it silently deletes or sabotages the backups before locking all the files. Crucially, because SamSam used cleanup files for standalone executables and some variants were fully executed in memory, detecting the malware was extremely challenging.  

Another example is ProjectSauron, a sophisticated information exfiltration malware that spied on government computers for over five years. It was used to steal passwords, encryption keys, configuration files, and log stores.  

 A more recent example comes from April 2022, when the Cybersecurity and Infrastructure Security Agency (CISA), Department of Energy (DOE), National Security Agency (NSA), and FBI released details of a custom malware designed to control a range of industrial control systems and supervisory control and data acquisition (SCADA) devices. As a result, the US security agencies urged companies in the energy sector to implement more stringent detection and mitigation processes to avoid falling victim to the bespoke malware2.  

What Types of Organizations Are at Risk?

Bespoke malware and ephemeral infections are highly targeted, which means cybercriminals have put considerable thought into who to target. Or in other words, if they’re going to spend ample time and resources designing stealthy malware, it needs to be worth it.  

Typically, this means large organizations and organizations in compliance-heavy industries like healthcare, telecoms, technology, finance, and banking are the intended target. Organizations that fall into these categories have vast troves of sensitive data that can fetch a lucrative sum on the dark web or be leveraged for future cyber attacks. And in the case of custom ransomware attacks, companies in compliance-heavy sectors might be more likely to pay up to reduce disruption to critical systems (lives are at stake when a hospital’s files are locked, for example).  

In Conclusion

Bespoke malware is evasive by design, which makes mitigating it particularly challenging. However, that doesn’t mean you have to sit back and wait for an attack to happen. 

Leveraging modern and proven cybersecurity tools and techniques can go a long way to protecting you from this type of attack. For example, network segmentation, whereby intruders are contained within segments and can’t move laterally throughout the network, is a great idea. Similarly, deploying more stringent network access controls and Zero Trust models can be very effective. Advanced AI network monitoring can also help you detect anomalous behavior on the network, helping you stop an attack in its tracks.  

Bespoke attacks present an unprecedented risk to large organizations, and failing to respond to the dynamic nature of this threat can leave you vulnerable. Cybercriminals are investing in more advanced tools, so you should be too.