A Malware Detective Shares What Makes Some Attacks More Alarming Than Others

Few people have spent as much time studying malware as Costin Raiu.

This year marks Raiu’s 20th anniversary with the antivirus giant Kaspersky Lab, as well as his 10th anniversary directing the company’s global research and analysis team. When Raiu joined Kaspersky, the whole company had fewer than 40 employees and fit on one floor. “We had four rooms — a virus lab where Eugene [Kaspersky] worked, another room for sales, another for administration, and another for servers,” he told me on a recent video call.

Cybersecurity has changed considerably since then: Malware is more sophisticated, threat actors are more organized, and defenders have developed an arsenal of tools to uncover and respond to attacks. Raiu, who compares his job to detective work and geology, described to me on a recent Friday afternoon the most interesting malware he’s dissected during his career and explained what makes some attacks more interesting than others. The conversation below has been lightly edited for length and clarity.

The Record: You and your team sees millions of malware samples a week, but you only take a close look at a small fraction of them. What makes certain malware samples more interesting than others? 

Costin Raiu: The company receives somewhere between 300,000 and 400,000 new samples each day. I guess maybe 0.1% of those would be interesting to my team. Of course we have other divisions in the company that look and analyze everything we receive to deliver protection to the users. My team focuses on the more sophisticated cases, like APT samples, big financial heists, zero days, sophisticated threat actors. The special cases that require more in-depth investigations. But there are very few of those per day.

What makes it attractive to us is if they have a new technique... or the number of victims can also be interesting. Something detected 10,000 times versus something detected once — the first is a common malware, and the second is unique, and that’s going to be more interesting for us. There are other things that make malware interesting, like if they use virtual file systems, it's always a sign that there’s something more advanced going on. I guess they were pioneered by Turla and Regin in 2008, 2007. They would need that because they would build an incredibly complex platform with many modules and functions that can be swapped depending on the victim. It's a sign that the threat actor you're dealing with is developing a professional product instead of a quick hack.

TR: Are there any big unsolved mysteries that you’re hoping to get to the bottom of?

CR: There are a lot of unsolved mysteries. To be honest one of the best guys at solving those mysteries is my former colleague Juan Andres Guerrero-Saade. One good example that he’s written about involves the Shadow Brokers, who are famous in the sense that no one was able to figure out who was behind the identity. They leaked a file called sigs.py — a Python script with signatures for malware used by several APT groups. It’s been called an NSA antivirus — it has 50 signatures of highly-relevant adversaries that should be interesting to investigate.

Some researchers were able to associate many of those signatures with known malware, but there are still a few signatures in there that have never been solved. We recently solved one of the signatures to something called DarkUniverse. Juan Andres also solved one of those mysteries to a potential Farsi-speaking threat actor. But there’s still a lot in there that nobody was able to discover.

TR: Do you think it will ever be solved?

CR: There are still people trying to solve them but one of the problems is that many of these are very old — malware from 20 years ago that might not even exist anymore. Antivirus companies that had fantastic malware collections in the 1990s, some of them went bankrupt and the collection was lost, so malware from 20 years ago is slowly starting to disappear. Not many companies out there still have it, and especially for new startups, even if they wanted to solve these new mysteries they can’t because they don’t have samples from 20 years ago.

TR: What’s the most interesting malware you’ve seen in your career?

CR: It’s hard to pick one. There are several that are very interesting from a technical point of view. For sure, Duqu 2.0 that we found in our own computer network was definitely special. It was responsible for ruining my birthday five years ago — we discovered it a few days before, so I couldn’t properly celebrate. 

TR: What about it — besides how close it was to home — made it interesting to you?

CR: It’s not just the malware, it’s the fact that somebody out there was ballsy enough to target an antivirus with malware. That’s super, super crazy. It’s inconceivable that they will not get caught. They should know they will get caught, and it’s super risky if the company is able to associate it with known threat groups. Later we found connections with Duqu, and were able to confidently say it was a new variant.

TR: Any others worth mentioning?

CR: There are so many! One of the classics out there is Turla — they pioneered virtual file systems, the exploitation of vulnerable drivers to run code in kernel mode, they pioneered pipe-based communication for their backdoors. They’re one of the most innovative groups, and the group has been around for so long.

Lazarus is another big one. It’s unbelievable how relentless they are. The fact that Lazarus has been around also for quite some time, and they have so many different tools to attack Linux systems, Windows systems, even IBM systems, Solaris. Whenever you know the threat actor has a comprehensive toolset for everything, that’s really unusual.

"It’s not just the malware, it’s the fact that somebody out there was ballsy enough to target an antivirus with malware. That’s super, super crazy."

TR: What should cybersecurity professionals be concerned about in the coming months?

CR: The most significant and active things are the targeted ransomware gangs like WastedLocker and Maze. We noticed this trend about four years ago — it was different from your typical criminal groups. They had more dedicated energy and a professional approach. I think they’re learning from experience. With APT actors, you judge them by their maturity level — are they able to develop and deploy zero days, do they write custom malware, can they combine closed-source malware with public malware, can they launch physical operations supporting cyber operations. Like the famous Wild Neutron group, we’re aware of a case where they wanted to infect somebody. They tried and it didn’t work well, so they sent somebody to break into the person’s apartment and infect a device through physical access. Threat actors that have such abilities stand out from the rest. But with ransomware groups, it’s mostly how well they stay out of jail. If they do that, it means they’re quite competent at what they’re doing. Also things like negotiation, collecting cryptocurrency payments, laundering it and converting it to real-world money. It’s a process.

TR: So with these characteristics, you’d say ransomware groups are pretty mature?

CR: Not just that, they’re dynamic and learning on the fly. In the beginning, this blackmailing technique worked where you threaten to dump data if you don't pay. Some victims said dump it, we’re not going to pay. When this happened, they started other things like auction websites for private data sales, supporting each other and working together, sharing victims and success. All this organized crime-style activity is what worries me.

TR: I saw it’s your 20-year anniversary with Kaspersky and your 10-year anniversary directing the global research and analysis team. Did you celebrate? Does that come with a trophy?

CR: To be honest I don’t think anyone remembers! It was 20 years on the 15th of August. And I became director of the research and analysis team in October. 

TR: What was your first job at Kaspersky?

CR: Initially I was hired to do software development. I had worked for a Romanian company for six years doing antivirus engine development, so when I joined Kaspersky I was put on a team that was working on the next generation of the Kaspersky antivirus engine. So I started at the company doing coding, and later I did more malware analysis and research.

TR: What have been the biggest changes?

CR: There are changes with the threat actors every day, and this is why I love this job and industry so much, because there’s always something new to look at. You create defenses, and then people poke at them and find ways around it, so you need to find something better. Some call it a cat and mouse game, though I’m not sure who’s the cat and who’s the mouse. From the defense point of things, cloud-based telemetry signatures have changed the game completely — they allow us to deliver almost instant protection to the users. 

TR: What about the biggest changes with malware research and analysis?

CR: In the very early days, this was a tough process — you needed a special type of person to do threat research. It required a unique blend of skills: reverse engineering, inquisitiveness, never giving up. It’s like being a digital detective, and there were not many people who would be good at that job. Then of course tools appeared, things got better and better. Sandboxes were significant as they allowed dynamic and simplified analysis of malware. YARA [a tool that involves rule-based descriptions of malware] was another game changer in my opinion. Before YARA, it was difficult to share signatures of malware and describe it without sharing the malware itself.

TR: What’s your process for ransomware detection and analysis?
CR: To be honest, when I was little I was almost sure I would become an archaeologist, and later I realized I wanted to become — what’s the English word for someone who collects rocks? A geologist. Because I just loved rocks, I loved collecting rare and unique rocks, and it was just so interesting to me. I guess with malware it’s kind of the same: there are rocks that you can find anywhere, like quartz on the streets, but then there’s precious rocks, rare gems, radioactive metals. You can compare it very much to geology or paleontology.