Cyber criminals appear to be economising by looking to cheaper methods of attack to cut malware costs, according to security firm Kaspersky Lab.
Researchers believe 2015 has seen demand for new malicious software reach saturation point, with the average number of new malware files detected on a daily basis falling by 325,000 in 2014 to 310,000 in 2015.
Kaspersky Lab researchers believe this is mainly due to the fact that coding new malware is expensive and cybercriminals have realised they can get equally good results using intrusive advertising programs or legitimate digital signatures in their attacks.
This approach appears to be working because, despite the cost-cutting in malware production in 2015, the number of users attacked by cybercriminals increased by 5%.
Between 2012 and 2013, there was a rapid increase in the number of new malicious files detected every day, increasing from 200,000 to 315,000 in 2013.
However, researchers said things started to slow down after that, with the total increasing by just 10,000 files a day in 2014, before falling by 15,000 a day in 2015.
Cybercriminals in search of a quick return appear to have decided that the cost of complex coding tools such as rootkits, bootkits or replicating viruses are eating into their revenue.
The researchers note that these complex tools can cost tens of thousands of pounds to develop and can be detected by increasingly sophisticated antivirus software.
As a result, 2015 saw adware become more prominent, marking an evolution in cybercriminal tactics, with many now acting almost as businesses, engaged in selling quasi-legitimate commercial software, activity and other “essentials”.
Another related trend is the increased abuse of use of bought or stolen legal certificates for digital products to deceive security software.
“Cybercrime has lost the last touch of romance. Today, malware is created, bought and resold for specific tasks,” said Vyacheslav Zakorzhevsky, head of the anti-malware team at Kaspersky Lab.
“The commercial malware market has settled and is evolving towards simplification,” he said.
Looking ahead to 2016, Kaspersky Lab researchers expect a decrease in the emphasis on persistence, placing a greater focus on memory-resident or fileless malware.
“The idea will be to reduce the traces left on an infected system and thus avoid detection altogether,” said Juan Andrés Guerrero-Saade, senior security researcher at Kaspersky Lab’s Global Research and Analysis Team (GReAT).
He also expects a reduction in the emphasis on advanced malware. “Rather than investing in bootkits, rootkits and custom malware that gets burned by research teams, we expect an increase in the repurposing of off-the-shelf malware.
“Not only does this mean that the malware platform isn’t burned upon discovery, but it also has the added benefit of hiding the actor and his intentions in a larger crowd of mundane uses for a commercially available remote access Trojan (RAT),” he wrote in a blogpost .
Kaspersky Lab researchers expect to see the success of ransomware continue and spread to new platforms like mobile, Mac OSX and the internet of things. They expect cyber criminals to set their sights on payment systems such as Apple Pay and Android Pay, as well as stock exchanges and, as attacks on security vendors rise, they foresee attackers compromising industry-standard reverse-engineering tools like IDA and Hiew, debugging tools like OllyDbg and WinDbg, or virtualisation tools like the VMware suite and VirtualBox.