The evolution of rootkits and what we can expect from them in the future
What is a rootkit and how is it used
A rootkit can be defined as a set of software that allows privileged access to a computer and that also keeps its presence hidden from administrators. Cybercriminals typically install rootkits on a computer after having obtained written permission anywhere in the filesystem hierarchy. It then takes advantage of a known vulnerability or of having obtained a password in order to install it.
The rootkits are commonly used to hide some applications that could act on the target system. They also usually include backdoors to help the cybercriminal easily access the system. It should also be noted that it can affect a wide variety of operating systems such as Microsoft Windows, Linux, and MacOS so that hackers can then remotely send commands or extract confidential information.
The Positive Technologies study on rootkits
A new study by Positive Technologies has analyzed how rootkits have evolved in recent years and the danger they represent. This is an in-depth study of rootkits used by cybercriminal groups over the last decade, that is, since 2011. In 44% of cases, hackers use rootkits to attack government agencies. On the other hand, with a percentage slightly lower than 38%, the rootkit was used to attack research institutes. Regarding the choice of targets, experts say that the main objective of rootkit distributors is data collection.
According to this study, the industries and users most attacked by this harmful software would be:
- Attacking specific people with 56%. In this case, the attacks directed as part of cyber espionage campaigns mainly affected high-ranking officials, diplomats, and employees of victims' organizations.
- Telecommunications with 25%.
- Manufacturing with 19%.
- Financial institutions 19%.
According to Yana Yurakova, a security analyst at Positive Technologies, rootkits that are capable of operating in kernel1 mode are very difficult to develop. These are developed by highly sophisticated APT-centric groups or by groups with the financial means to buy rootkits on the black market. On the other hand, these hackers who make use of rootkits mainly focus on cyber espionage and data collection. Fundamentally they act to:
- Steal large sums of money.
- They extract information.
- Damaging the victim's infrastructure on behalf of a payer.
Evolution for the future
The Positive Technologies study adds that 77% of the rootkit cases under investigation were used to collect data. On the other hand, 31% were motivated by financial gain, and then with 15%, there were attacks to exploit the infrastructure of the victim company and then carry out attacks later.
As for the price of a rootkit on the dark web, it varies between € 45,000 to € 100,000 depending on the operating mode, operating system, and rental time. Finally, looking ahead, researchers believe that cybercriminals will continue to develop and use rootkits. In this regard, Positive Technologies specialists have identified new versions of rootkits, which indicates that cybercriminals are implementing new techniques to bypass protection.