Cybercriminals use various obfuscation techniques to keep their malware strong and profitable. Two common methods they employ are evolving their payload delivery types and quickly generating new files (defeating hash-only detection methods). Our researchers closely examined how adversaries have used these two strategies to help six well-known malware families—Locky, Cerber, Nemucod, Adwind RAT, Kryptik, and Dridex—evade detection and continue compromising users and systems.

Through our analysis, we sought to measure the “time to evolve” (TTE): the time it takes adversaries to change the way specific malware is delivered and the length of time between each change in tactics. We analyzed web attack data from different Cisco sources—specifically, web proxy data, cloud and endpoint advanced malware products, and composite antimalware engines.

Our researchers looked for changes in file extensions delivering the malware and the file content (or MIME) type as defined by a user’s system. We determined that each malware family has a unique pattern of evolution. For each family, we examined the patterns in both web and email delivery methods. We also tracked the ages of unique hashes associated with each malware family to determine how quickly adversaries are creating new files (and thus, new hashes).

High