Ready-to-use malware, cryptominers and botnets can all be easily purchased by criminals. There’s now a wide range of As-a-Service tools available on the dark web to facilitate illegal activities. That is not to say, however, that attackers are operating at a lower level, as they are increasingly bypassing ordinary security measures.
Darktrace’s 2023 End of Year Threat Report shows that Malware-as-a-Service (MaaS) and Ransomware-as-a-Service (RaaS) dominate. The company notes that criminals with limited expertise can also make use of such tools. Common options are pre-installed malware loaders (77 percent), cryptominers (52 percent), botnets (39 percent) and infostealers (36 percent). Proxy botnets (15 percent) are also common, where attackers can disguise themselves by using proxies.
The Hive ransomware group was long known as a leading RaaS player, but in January 2023, U.S. authorities dismantled it. Meanwhile, Darktrace is talking about a changing of the guard. ScamClub and AsyncRAT have largely taken over Hive’s market share. The former is known as a malvertising actor, whose notorious act includes misleading news sites through fake virus warnings. AsyncRAT, like many other criminal organizations, targets critical infrastructure in the U.S., attempting to infiltrate networks through employees.
Marketing cybercrime
Darktrace’s research shows developments that have many concrete examples. The supply chain of cybercrime has become more complex, with middlemen and professionalized services. For example, the Genesis Market, a darkweb marketplace for stolen digital identities that was disbanded last year, used a customer service provider. Also, ransomware group LockBit 3.0 styles itself as an unorthodox service provider that “assists” organizations to infiltrate their networks and ask for compensation afterwards, which supposedly isn’t a ransom but a mere service fee.
“Throughout 2023, we observed significant development and evolution of malware and ransomware threats, as well as changing tactics and techniques of attackers due to innovation in the technology industry as a whole, including the rise of generative AI. Against this backdrop, the breadth, scope, and complexity of threats facing organizations have increased significantly,” stated Hanah Darley, Director of Threat Research at Darktrace. “Security teams face an uphill battle to stay ahead of attackers, and need a security stack that keeps them abreast of new attacks and not one that chases threats from yesterday.”
Known attack vectors, more complex payloads
Attack vectors remain traditional in many cases. For example, Darktrace detected 10.4 million phishing emails between Sept. 1 and Dec. 31. However, this form of deception also continues to evolve. Teams-phishing, for example, is becoming more common, with Darktrace, in one specific incident, detecting an attacker trying to get users to install DarkGate malware via a SharePoint link.
In addition, payloads are increasingly complex. Darktrace describes many new threats as “Swiss Army knives”: if one attack attempt fails, the malware may succeed elsewhere. The security firm cites the example of the Black Basta ransomware group, which also spreads Qakbot to ensure it can achieve a successful breach.
Also read: Qakbot malware returns with phishing attack on hospitality industry
19 hours ago
