Spearphishing malware: Do we really know the unknown?

Abstract

Targeted attacks pose a great threat to governments and commercial entities. Every year, an increasing number of targeted attacks are being discovered and exposed by various cyber security organizations. The key characteristics of these attacks are that they are conducted by well-funded and skilled actors who persistently target specific entities employing sophisticated tools and tactics to obtain a long-time presence in the breached environments. Malware plays a crucial role in a targeted attack for various tasks. Because of its stealthy nature, malware used in targeted attacks is expected to act differently compared to the traditional malware. However, to our knowledge, there is no previous study that performed an empirical validation to this assumption. In this paper, we perform a study to understand whether malware used in targeted attacks is any different than traditional malware. To this end, we dynamically analysed a set of targeted and traditional malware to extract more than 700 features to be able to measure their discriminative power. These features are calculated from the network, host and memory behavior of malware. The rigorous experimentation we performed with several machine learning algorithms suggest that targeted malware indeed behaves differently and even with raw features extracted from the dynamic analysis reports, fairly good classification accuracy could be achieved to distinguish them from traditional malware.