Malware Trends and Analysis
Kroll actively tracks malware C2 infrastructure, submissions to public sandboxes and active IR and MDR case data to generate lists of the most active malware strains for comparison.
Top 10 Malware Strains – Q4 2023
Malware and Ransomware Steal the Limelight
Like Q3, Q4 saw some dramatic changes to the malware and ransomware landscape, with many being a direct result of law enforcement activity to disrupt and degrade the infrastructure of some of the most prolific types. In August, the QAKBOT botnet was heavily disrupted, leading to infrastructure changes and a significant drop in QAKBOT infections in Q3. However, the attempts of threat actors to rebuild the botnet put it firmly back in the top 10 list in Q4. In yet another twist to the tale, although QAKBOT is featured high up on our quarterly trend list, we did not observe any successful infections.
Notably, the threat actor tracked by Kroll as KTA248 (TA577, TR), as well as one of the actors operating huge QAKBOT campaigns, began deploying new malware strains to gain initial access into corporate environments. This meant that while in Q3 we saw significant increases in DARKGATE, PIKABOT tops our list for Q4. Both malware strains are operated by KTA248 as a potential successor to QAKBOT. Kroll observed a significant overlap between PIKABOT and QAKBOT infrastructure from early- to mid-2023. In November, Kroll noted a reply-chain phishing campaign delivering PIKABOT.
Infostealers also make up more of the quarterly top 10 in Q4, with LUMMASTEALER (LUMMAC2) and STEALC seeing significant upticks. Throughout 2023, and especially in Q4, Kroll witnessed significant increases in infostealer activity, the development of capabilities and new entrants to the market.
Underground Usage of Infostealer Malware on the Rise
Q4 2023 saw the strengthening of the trend in which infostealer malware has become its own ecosystem in the cybercriminal underground. Infostealer logs are a significant factor in the initial access broker market: threat actors who specialize in selling access they have gained to corporate environments to ransomware operators who then complete the attack chain and extort the victim.
Infostealers are most commonly deployed via phishing, malvertising and fake or misleading posts on social media. This means there is often little specific targeting of individuals or organizations, although this is possible. Threat actors hope to infect as many individuals as possible to collect as many credentials as they can. However, this often presents an unseen risk to corporate environments as employees' personal machines can become infected. These might contain credentials that provide access to corporate credentials or present a threat from their reuse, enabling threat actors to test them against edge services such as VPN, email platforms or application gateways.
One of the most common varieties of infostealer we currently encounter is REDLINESTEALER.
REDLINESTEALER
REDLINESTEALER, or simply REDLINE, is available on underground forums through a monthly subscription service that gives an attacker access to the REDLINE panel and the ability to pack the malware and collect the logs of stolen information. Its main functionality is to steal data such as passwords, credit card information, usernames, locations, cookies and hardware configuration from infected systems. REDLINE collects this data from a number of sources, including installed browsers, such as SQLite databases, VPN credentials and Cryptocurrency wallets, such as files containing *.wallet
If REDLINE is found to have been executed on a device, it is safe to consider that any credentials stored locally on that device have been compromised. REDLINE can also download files, making it likely that further payloads could be deployed to a victim device should a threat actor require more functionality depending on their objectives (e.g., high bandwidth data exfiltration or ransomware).
In Q4, Kroll investigated a surge in cases in which users downloaded a file associated with REDLINE. In this instance, the lure was a PDF converter software, where it was likely that the users were searching for a legitimate copy of a tool or, as in some cases, victims were searching for innocuous phrases such as “printable calendars” or “business models.” However, the malicious “pdfconvertercompare[.]com" site was presented early in the search results. This site is still active and serving malware as of January 2024.
Free Exfiltration Mechanisms Scale up the Infostealer Threat
Because infostealer malware is commonly sold as part of a service, threat actors running the services will often look to free services as a scalable solution to control the malware and use it as a method of exfiltration. Infostealers are sold directly on Telegram and use the same service to control and host extracted victim data. Similarly, VIDAR has used Steam usernames to host C2 information and many infostealers will use services such as Discord for storage of exfiltrated data. For these reasons, Kroll recommends blocking Steam, Telegram and Discord domains if they are not used for business activities.