Threat actors are converging on similar tactics across the board.
Cybercriminals are inventive and opportunistic, leveraging any advantage they can to gain access to sensitive data and assets.
However, they’re not as individualistic as often portrayed. Threat actors invest time and energy into maintaining relationships with other hackers, ransomware gangs, and criminal organizations. This can give them an edge when the threat landscape changes and new opportunities arise.
Now, several factors are contributing to major changes in the way cybercriminals operate. This article will cover some of those trends and explain how they influence the five most common malware attacks happening in 2024 so far.
Malware developers and cybercriminal operators are leveraging a combination of emerging technologies, under secured device formats, and structural deficiencies in the security industry. Here are some of the main themes influencing the types of malware cybercriminals are relying on the most in 2024:
AI gives cybercriminals new capabilities and lets them refine old ones
Threat actors already know how to use generative AI to write malicious code. This helps less proficient threat actors improve their technical capabilities and allows ransomware gangs to scale operations more effectively. It also breaks down language barriers, leading to much more sophisticated phishing and social engineering attacks.
Voice simulation software has already been used to run elaborate scams on corporate leadership. One CEO transferred a quarter of a million dollars to a hacker who simulated the voice of the parent company’s leader. Emerging video capabilities will only make the problem worse in the short term.
For cybercriminals, a mobile device used purely for personal use isn’t nearly as valuable as a business device. The problem is that organizations typically secure their devices with robust prevention-based policies that keep attackers out.
Organizations with loose Bring-Your-Own-Device (BYOD) policies make a much more compelling target. Security teams don’t always have the same level of visibility into mixed-use employee mobile devices, making them high-value targets.
The longstanding cybersecurity skills gap still complicates security efforts for small businesses, large enterprises, and everyone in between. Demand for information security talent continues to outpace supply, straining teams that must address bigger workloads.
This is a strong tailwind for malware developers and operators. Talent shortages increase mean time-to-detect (MTTD) and mean time-to-respond (MTTR) metrics. Even relatively poor-quality malware can reliably evade detection long enough to execute on a victim’s network.
The ransomware surge of the Pandemic era is a clear example of cybercriminals consolidating their tactics. After two years of reduced activity, ransomware began trending upwards again in 2023.
Several things have changed since ransomware first started making headlines, though. Instead of targeting large enterprises with highly involved attacks, cybercriminals are leveraging Ransomware-as-a-Service (RaaS) kits to carry out large-scale, high-frequency attacks against small businesses.
LockBit remains the most common ransomware tool set in use today by far. An international law enforcement operation seized 34 LockBit servers in February 2024, but it proved to be a short-lived setback for the threat actors in question. Only five days later, LockBit3.0 appeared.
Ransomware is a serious threat, but also one of the simplest risks to mitigate. Deploying a robust system of secure backups makes your organization resistant to almost all ransomware attacks. Organizations with high-quality backups can effectively ignore ransom demands and continue business as usual with no disruption.
Spyware can provide cybercriminals with login credentials, screenshots of sensitive data, and chat history data. In many cases, a successful spyware infection is all an attacker needs to gain entry to the network and become an insider threat.
Pegasus is an example of a popular spyware variant that collects data from Android and iOS mobile devices. It is well-suited for giving cybercriminals initial access to protected networks with BYOD policies, allowing them to conduct lateral movement and find more valuable assets to compromise.
Pegasus can exfiltrate emails, SMS messages, app data, location services, audio recordings, and photos. This makes it a powerful tool for cybercriminals who aim to gain privileged insider access to network assets. The ability to exfiltrate one-time-passwords from multi-factor authentication systems makes it particularly dangerous.
Safeguarding network assets against insider threats demands combining multiple technologies and approaches. Zero Trust architecture limits the damage associated with compromised accounts, while User Entity and Behavioral Analytics (UEBA) enables insider risk teams to detect malicious insiders based on their observed activity.
Trojans trick users into running malicious executions by disguising themselves as legitimate applications. RATs are a particular type of trojan that is gaining in popularity among cybercriminals. By granting remote access, they enable hackers to directly control endpoint devices.
This allows the attacker to carry out multiple types of cyberattacks with great flexibility. Attackers may even sell insider access to other hackers, or lay dormant for long periods of time while waiting for the opportune moment to strike.
Gh0st is a RAT (Remote Access Trojan) used to gain control over infected endpoints. Unlike many other common types of malware, Gh0st is manually dropped into victims’ networks as a payload. That means Gh0st victims are necessarily already compromised by at least one other type of malware.
Web application firewalls are the first line of defense against remote access trojans. Organizations must also implement Zero Trust security architecture and invest in comprehensive insider risk programs. Behavioral analytics enriched with detailed historical log data is vital for distinguishing between malicious remote access and false positives.
Cryptojacking fell out of favor after the price of Bitcoin crashed in 2022. As of March 2024, the cryptocurrency has surged to new all-time highs — and made cryptojacking more profitable than ever.
Most cryptojacking malware does not mine Bitcoin, but lesser-known alternatives that are computationally easier to distribute. CoinMiner is an entire family of cryptojacking solutions that mine Monero and Zcash. They typically spread across networks by abusing Windows Management Instrumentation and establish persistence using WMI Standard Event Consumer scripting.
Cryptojacking is not often considered a high-priority threat because it steals processing power and bandwidth instead of data or money. However, cryptojacking forces organizations to increase IT expenditure and leads to unpredictable IT performance. This can lead to downtime, additional security vulnerabilities, and other negative outcomes.
Network detection and response (NDR) solutions can provide key insight into cryptojacking attacks. Analysis might show that certain devices are exhibiting poor performance and making unusual connections outside the network. Analysts can then investigate and check users’ web activity to find out if employees visited suspicious web pages.
Not all malware is designed for a single use case scenario. Sophisticated variants like SocGholish can perform multiple actions in response to threat actor commands.
For example, threat actors can use SocGholish to redirect traffic, and deliver malware payloads masquerading as software updates, subsequently obtaining information from the victim’s system. They can force the system to download additional exploit kits and even ransomware.
These capabilities add to software bloat, making tools like SocGholish easier to detect than other types of malware. However, they can also make malware neutralization more difficult. This type of malware may structure its actions in multiple stages and use a variety of obfuscation and evasion methods.
Multi-use malware is easy to detect because it interacts with many different parts of your IT infrastructure. Connecting the dots between these interactions is key. Make sure your Security Information and Event Management (SIEM) platform provides complete visibility into your IT infrastructure so you can quickly piece together the chain of events that indicates a multi-use malware attack.
Lumifi’s 24/7 managed detection and response solution provides comprehensive protection to organizations facing new and emerging threats. Gain visibility into your network and leverage our proprietary SOC automation service to safeguard your most valuable assets from cybercriminals.
