August 15, 2024

Overview of Malware Landscape in First Half of 2024

Learn the Malware Landscape in the first Half of 2024 from this blog post with malware types and malware families and their real-time samples.
Cybersecurity

As we step into 2024, the digital landscape remains a battleground where sophisticated malware types not only persist but evolve, each crafted with precise targets and objectives by their nefarious creators. These digital threats range from stealthy stealers siphoning confidential data to aggressive ransomware crippling entire industries, underlining a critical need for vigilant cybersecurity measures. We especially see the attackers aim shifting more to easy profits and espionage which affects the malware families that are popular right now. Here's an insight into the prominent malware threats and their operational strategies, shaping the cyber threat horizon in the first half of 2024.

Let’s have a look on most common Malware types and Malware Families of 2024 and their analysis:

Stealers

These malware types are primarily used by cybercriminals aiming to harvest personal and financial information from individuals and organizations to use directly or sell to other parties. They are favored for their efficiency in collecting a wide range of data quickly.

RedLine is a notorious information stealer first detected in 2020, designed primarily to extract a wide range of sensitive data from infected systems. This malware quickly gained prominence among cybercriminals due to its ability to steal passwords, browser cookies, credit card details, and cryptocurrency wallets. RedLine operates by deploying a lightweight executable that scans the system for valuable information, capturing data from multiple sources including browsers and text files. Once active, it can also download additional payloads or update itself to evade detection and enhance its capabilities. The malware is typically spread through malicious email campaigns, compromised websites, or bundled with pirated software, exploiting users’ lapses in security practices or software vulnerabilities. RedLine targets both individual users and corporate networks, capitalizing on environments with inadequate cybersecurity measures to maximize data theft and financial gains.

Detailed static and dynamic analysis of RedLine sample [see sample]

Vidar is an advanced information stealer that surfaced around 2018, known for its ability to swiftly and stealthily extract a wide range of sensitive data from compromised systems. This malware specializes in the theft of browser history, cookies, wallet files, and system information, and can also capture two-factor authentication data stored on the system. Vidar operates by executing a sequence of modular actions tailored to identify and extract specific types of data, allowing for customized theft depending on the attacker's needs. Once it has gathered the required information, Vidar can send this data to a remote server controlled by the attacker and even download further malicious payloads to deepen the infiltration. It is commonly distributed through malicious advertising (malvertising), phishing emails, or as secondary payload delivered by other malware. Vidar primarily targets individual users but is also a threat to businesses, particularly those lacking robust multi-layered security defenses.

Detailed static and dynamic analysis of Vidar sample [see sample]

Formbook is a potent infostealer malware that has been actively circulating since 2016, widely recognized for its robust capabilities in capturing keystrokes, extracting form data from web browsers, and taking screenshots. This malware also excels in collecting credentials from various web browsers, email clients, and capturing clipboard contents, which are highly valuable for cybercriminal activities. Formbook installs itself within the system's processes to evade detection and ensures persistence by modifying system registry entries. Once active, it can execute commands received from a command and control (C&C) server, including downloading additional malware or updating its own components to evade detection efforts. It spreads predominantly through malspam campaigns that lure users into executing malicious attachments disguised as legitimate documents. Targeting both individuals and corporations, Formbook is particularly prevalent in environments where security measures are not stringent, leveraging any security lapses to maximize data theft and system control.

Detailed static and dynamic analysis of Formbook sample [see sample]

RATs (Remote Access Trojans)

RATs are commonly employed by attackers seeking deep control over compromised systems. These tools allow for remote administrative control, making them suitable for espionage, data theft, and long-term access to infected systems.

Agent Tesla is a sophisticated Remote Access Trojan (RAT) active since 2014, designed to steal sensitive information from compromised systems. It has become a popular tool among cybercriminals for conducting espionage, credential theft, and surveillance, thanks to its wide range of capabilities and continual evolution. The malware operates by capturing keystrokes, taking screenshots, collecting data from browsers and email clients, executing commands, and sending gathered information to a command and control (C&C) server. Once installed, Agent Tesla can perform actions like downloading additional malware, updating itself, or executing system commands that alter the machine's state. It primarily spreads through malspam campaigns, which include malicious emails with infected attachments or links to harmful websites. Target victims include corporate environments, government agencies, and individuals, particularly those with access to valuable personal and financial information.

Detailed static and dynamic analysis of AgentTesla sample [see sample]

Remcos is a powerful Remote Access Trojan (RAT) that first emerged in 2016, renowned for its extensive control over compromised systems. Often marketed as a legitimate tool for remote administration, it has been widely adopted by cybercriminals for nefarious purposes such as surveillance, data theft, and remote system control. The malware provides capabilities such as keylogging, screen capture, audio recording, and downloading or executing additional payloads. Once installed, Remcos can manipulate files, modify registry entries, and control system processes to maintain persistence and avoid detection. It spreads primarily through phishing emails that contain malicious attachments disguised as legitimate documents, prompting users to enable macros which then install the malware. Remcos targets a wide range of sectors, including small businesses, educational institutions, and individuals, exploiting those with weaker security measures or valuable data.

Detailed static and dynamic analysis of Remcos sample [see sample]

NjRAT, also known as Bladabindi, is a Remote Access Trojan (RAT) that first appeared in 2012, primarily targeting users in the Middle East but has since gained a broader reach. It is known for its capability to remotely control compromised systems, enabling attackers to capture keystrokes, access the webcam, steal credentials, and manipulate system files and processes. NjRAT can also download additional malicious software and execute commands, effectively turning the infected machine into a bot for further malicious activities. This malware spreads mainly through phishing emails, infected USB drives, or drive-by downloads from compromised websites, leveraging social engineering to trick users into initiating the infection process. Once installed, it connects to a command and control (C&C) server, allowing attackers to exfiltrate sensitive data or deploy additional malware. NjRAT targets a wide array of victims, from individuals to large organizations, exploiting weak security practices to establish a foothold within networks.

Detailed static and dynamic analysis of NjRAT sample [see sample]

AsyncRAT is a Remote Access Trojan designed to provide the attacker with complete control over the infected systems, facilitating extensive surveillance, data theft, and remote command execution. Launched into the cyber threat landscape as an open-source project, it is particularly attractive to cybercriminals due to its robust feature set and the ability to remain undetected. AsyncRAT can capture keystrokes, access the webcam and microphone, browse and transfer files, and gather system and network information. It typically infects systems through malicious email attachments, infected software downloads, or via other malware payloads. Once installed, it connects back to a command and control (C&C) server, receiving commands from the attacker and sending collected data, allowing for dynamic and responsive control over the compromised system. AsyncRAT is primarily used against individuals and small to medium-sized businesses, exploiting less stringent security environments to maximize its impact.

Detailed static and dynamic analysis of AsyncRAT sample [see sample]

Loaders and Downloaders

Loaders and downloaders are types of malware specifically designed to facilitate the delivery and execution of additional malicious payloads onto compromised systems. These tools are essential for attackers aiming to orchestrate complex, multi-stage attacks, as they allow for the sequential deployment of various threats tailored to the vulnerabilities and defenses of the target system. By securing a foothold within the system, loaders and downloaders enable cybercriminals to adapt and escalate their attack strategies, effectively broadening the scope and impact of their malicious activities.

Qbot, also known as Qakbot, is a sophisticated banking Trojan that first appeared in 2008, initially focusing on financial sectors to steal banking credentials and sensitive financial information. Over the years, Qbot has evolved into a multifaceted threat, incorporating features such as keylogging, credential theft, and notably, acting as a loader to deploy additional malware, which amplifies its danger significantly. Its advanced evasion tactics, including anti-VM, anti-debugging, and anti-sandbox functionalities, enable it to remain undetected by conventional security software. The malware predominantly spreads through malspam campaigns, leveraging malicious email attachments or deceptive links that mimic legitimate communications. Once installed, Qbot infects the system and can manipulate web sessions by hooking into browser processes, particularly targeting online banking transactions. Its ability to spread across networks by exploiting vulnerabilities or using stolen credentials not only threatens financial institutions but also exposes various other sectors to potential breaches and extensive network infections.

IcedID, also known as BokBot, is a banking Trojan that emerged in 2017, primarily targeting financial institutions to intercept and manipulate banking sessions to steal credentials and financial data. Over time, IcedID has expanded its functionality to become a formidable loader, capable of delivering a range of secondary payloads, including ransomware and other banking Trojans, further complicating its threat landscape. It employs sophisticated evasion techniques, such as environmental awareness, which allows it to detect and evade analysis tools and virtualized environments. The malware is mainly distributed through phishing campaigns, using malicious email attachments or compromised websites to infect systems. Once installed, IcedID establishes persistence on the host machine and sets up a local proxy to redirect and manipulate web traffic, which is especially dangerous during online banking operations. Its role as a loader amplifies its threat, enabling widespread network infiltration and potentially devastating multi-vector attacks on targeted organizations.

Detailed static and dynamic analysis of IcedID sample [see sample]

Pikabot is a relatively new entry in the realm of malware, emerging prominently as both a stealthy information stealer and an effective loader. It is designed to siphon off a wide array of personal and financial data from infected systems, including login credentials, financial information, and other sensitive personal data. Pikabot distinguishes itself with robust evasion capabilities, using techniques like obfuscation and polymorphism to avoid detection by antivirus software. The malware spreads primarily through phishing emails and malicious downloads, enticing users to inadvertently execute the malware by disguising it as a legitimate file or software update. Once activated, Pikabot not only steals information but also acts as a loader, capable of downloading and installing additional malicious payloads onto the infected system. This dual functionality makes Pikabot a versatile tool for cybercriminals, enabling a range of destructive activities from data theft to facilitating further network breaches.

Detailed static and dynamic analysis of Pikabot sample [see sample]

Ransomware

Ransomware remains a significant threat and has become increasingly prevalent in 2024, with cybercriminal groups intensifying attacks on a range of sectors including healthcare, manufacturing, government organizations, and education. These malicious operations are designed to encrypt critical data within these institutions, effectively holding it hostage to demand ransom payments. The impact of these attacks is profound, causing severe operational disruptions and compromising the delivery of essential services. This escalation underscores the need for heightened security measures across all vulnerable industries to mitigate the risk and potential damage of ransomware incidents.

LockBit 3.0 is an advanced iteration of the notorious LockBit ransomware family, known for its rapid encryption speed and aggressive extortion tactics. Emerging as a significant threat, it primarily targets corporate networks to encrypt valuable data and demands ransom through a victim-shaming site where it threatens to release the stolen data unless the ransom is paid. LockBit 3.0 enhances its predecessors' capabilities with improved evasion techniques, making it harder to detect and mitigate. It often gains entry into networks through phishing campaigns, exploiting vulnerabilities, or credential stuffing, quickly spreading laterally across the network once inside. Beyond its primary role as ransomware, LockBit 3.0 also functions as a loader, capable of deploying additional payloads, which can include further malware or tools that assist in maintaining access and control over the compromised systems. This dual functionality makes LockBit 3.0 a particularly dangerous threat to organizations, combining direct financial extortion with potential long-term network compromise.

Detailed static and dynamic analysis of LockBit 3.0 sample [see sample]

BlackCat, also known as ALPHV, is a highly sophisticated ransomware strain that emerged in late 2021, notable for being one of the first ransomware families fully written in the Rust programming language, which enhances its performance and evasion capabilities. ALPHV targets a wide range of industries globally, employing advanced techniques to infiltrate corporate networks, encrypt data, and exfiltrate sensitive information. It operates on a ransomware-as-a-service (RaaS) model, allowing affiliates to deploy the ransomware while the core developers take a cut of the profits. ALPHV spreads through various methods, including phishing, exploiting vulnerabilities, and accessing networks via compromised credentials, demonstrating its versatility in deployment. Beyond its primary ransomware functionality, ALPHV also acts as a loader for additional malware, thereby increasing the damage potential by facilitating further attacks and maintaining persistence within the infected systems. This dual role makes ALPHV/BlackCat not just a direct threat in terms of data encryption and ransom demands but also a broader security risk capable of enabling subsequent cyber attacks.

Detailed static and dynamic analysis of ALPHV sample[see sample]

Keyloggers

Designed to secretly monitor and log all keystrokes, keyloggers are utilized both by cyber espionage groups and common cybercriminals. They are effective for stealing credentials and other sensitive information typed by a user.

Hawkeye is a prominent keylogger and information stealer that has been active since 2013, targeting a wide range of industries globally. Distributed primarily through phishing campaigns, Hawkeye exploits unsuspecting users by masquerading as legitimate software or email attachments. Once installed, it employs advanced keylogging capabilities to record every keystroke on the infected machine, effectively capturing passwords, financial information, and other sensitive data. This malware also includes functionalities to steal credentials from web browsers, email clients, and various third-party applications, further compromising the security of the affected systems. In addition to these direct data theft capabilities, Hawkeye can download and execute additional payloads, enhancing its impact by enabling attackers to deploy further malicious activities such as ransomware or additional spying tools. This combination of keylogging, data theft, and loader capabilities makes Hawkeye a versatile and formidable threat in the cybersecurity landscape.

Amadey, a malware loader known since 2018, also exhibits significant keylogger capabilities, enhancing its threat profile. Primarily distributed through phishing emails and exploit kits, Amadey targets unsuspecting users by enticing them to download a seemingly benign attachment that unleashes the malware. Once activated, Amadey’s keylogger function begins monitoring and recording every keystroke, effectively capturing passwords, credit card details, and other sensitive personal information. This data can then be sent back to cybercriminals for fraudulent purposes or leveraged to gain deeper access to victim's networks. In addition to its keylogging activities, Amadey serves as a versatile loader, capable of downloading and executing a variety of secondary payloads like ransomware and spyware. This dual functionality makes Amadey particularly dangerous, as it not only compromises the confidentiality of data directly through keylogging but also paves the way for subsequent, more destructive cyber attacks.

Detailed static and dynamic analysis of Amadey sample [see sample]

You can strengthen your defense, have strong and effective procedures, and constantly be aware of the potential threats by understanding the strategies used by malicious actors and specific malware families aiming to harm you. Don’t forget! Knowing your enemy and their tools is not only an advantage but a necessity to make sure your data and systems are safe. Stay informed and secure; keep yourself protected against these threats. Register to Threat.Zone for free and start to analyze your files now if you'd like to start protecting yourself.

         Authors

  • Sinan Ugur Atak, Head of RevOps at Malwation
  • Berk Albayrak, Threat Research Team Lead at Malwation
Sinan Ugur Atak
Head of RevOps