Ghostware and Two-Faced Malware Coming in 2016

Summary: Malware is increasingly sophisticated. In 2016, look for two developing malware families. First, as law enforcement becomes more specialized in identifying cybercriminals, ghostware will help hackers conceal indicators of compromise. It will be more difficult for companies to know a compromise has taken place. Second, be on the lookout for “two-faced malware”: malware that can avoid detection by a sandbox and then execute once clear of security protocols.

The threat landscape is constantly evolving.

Security researchers uncover emerging tactics employed by hackers and other bad actors. They develop solutions to protect individuals and businesses from compromise. And then hackers come up with something new to foil even cutting-edge defenses.

In this environment, some types of malware evolve and grow more sophisticated. Others go by the wayside to be replaced by newer, more intelligent tools that drive further innovation among security vendors and researchers. This ongoing cyber security arms race intensifies each year while the stakes get higher as connected devices (the so-called “Internet of Things”) proliferate and the potential attack surface grows exponentially.

Malware continues to be one of the primary tools of the hacker trade. Hackers use purpose-built malicious software to gain access to devices and networks, to exfiltrate data, and exploit software vulnerabilities. In 2016, new variants will emerge, confounding security professionals and investigators looking to find and prosecute cyber criminals and state-sponsored actors. Let’s take a look at two types of malware researchers at Fortinet’s FortiGuard Labs predict will make an impact in 2016.


Ghostware is the Snapchat of malware. Snapchat, the popular social app, allows users to send photos and videos to friends that, once viewed, “disappear” and cannot be viewed again. The concept of ghostware is similar: The malware enters into a system, completes its mission (i.e., stealing data), then disappears without leaving a trace.

As investigators and law enforcement become more adept at forensic analysis and more concerned with cyber crimes and the people who perpetrate them, careful hackers will look for ways to erase all traces before security measures detect that systems have been compromised.

In 2014, blastware emerged on the scene. This type of malware gets what it needs and then destroys its target or renders its host unusable if it is detected by security systems. Unlike ghostware, it leaves the ultimate calling card behind – a destroyed machine will let an organization know immediately that their system has compromised.

Rombertik is the most well-known variant of blastware – once installed it checks to see if it has been detected, and if it suspects it has been detected or is being reverse engineered by a researcher, it will self-destruct and permanently crash the host system. Fortinet’s research indicates blastware will continue to be a tool used in targeted attacks, particularly in cases of hacktivism or state-sponsored cybercrime.

Ghostware could become more prevalent because of its flexibility – hackers can infect different types of systems and attempt to avoid identification and attribution for the crimes.

Two-Faced Malware

The two-faced malware was developed in response to the increasing use of sandboxing to inspect traffic and prevent advanced threats from entering the network. This malware is specifically designed to evade detection in the sandbox. It executes a benign task while in the sandbox and then performs its malicious process once it passes through the security protocols. Currently, it is quite simple with some basic anti-VM and anti-sandbox techniques, which actually raises a red flag for security inspection.

Sandbox solutions often employ a rating system based on the observed behavior of the inspected files. If everything looks good, the sandbox will assign an “innocent” rating that will be reported back through a security vendor’s threat intelligence system. The result? Future versions of files may get the “all clear” and be able to bypass sandbox inspection and other advanced security systems. Two-faced malware could be enhanced to game sandbox rating systems in a counter-intelligence move, making it much more difficult to detect.

Security vendors may need to develop stronger verification systems in response, which could ultimately impact network performance.

An Evolving Threat Landscape

There is a constant struggle between cyber guardians and cyber criminals. With a growing attack surface, this battle will come into increasing focus over the next year. It will take new approaches and considerable resources to ensure this doesn’t become the zero-sum game of a Cold War-era arms race. Each year, advanced persistent threats become more sophisticated and hackers become savvier. It’s up to security researchers and vendors to stay one step ahead of emerging trends like ghostware and two-faced malware and begin to develop more sophisticated defenses and security protocols.

Derek Manky, Fortinet’s Global Security Strategist, formulates security strategy with more than a decade of advanced threat research with the ultimate goal to make a positive impact towards the global war on cybercrime.

Related Posts