Full Report
Explore key 2024 cybercrime trends, including the rise of malware-as-a-service (MaaS), mobile malware, and Chinese and Russian state-sponsored threats. Learn how Insikt Group's expanded tracking enhances threat detection and strengthens security defenses against evolving malicious infrastructure.
Analysis Summary
# Tool/Technique: LummaC2
## Overview
LummaC2 is a Malware-as-a-Service (MaaS) infostealer that saw a significant increase in prevalence in 2024, dominating command-and-control (C2) servers for infostealer operations. Its growth is attributed to continuous innovation and the disruption of competitor infostealers by law enforcement actions.
## Technical Details
- Type: Malware family (Infostealer MaaS)
- Platform: Unknown (Implied Windows given it's a common infostealer platform, but not explicitly stated)
- Capabilities: Command and Control infrastructure for distributed infostealer operations, rapid adaptation/innovation.
- First Seen: Trend observed developing into dominance in 2024.
## MITRE ATT&CK Mapping
*Mappings are generalized based on the classification as an 'infostealer C2 infrastructure':*
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Likely used for C2 communication)
## Functionality
### Core Capabilities
- Operating as a Malware-as-a-Service (MaaS) offering for malicious actors.
- Primary function linked to information theft/exfiltration (infostealer).
- Dominating C2 infrastructure for active infostealer campaigns.
### Advanced Features
- Continuous innovation allowing it to rapidly outpace competitors disrupted by takedowns (e.g., RedLine Stealer).
## Indicators of Compromise
- File Hashes: [Not provided in text]
- File Names: [Not provided in text]
- Registry Keys: [Not provided in text]
- Network Indicators: [C2 servers associated with LummaC2 usage, not explicitly detailed]
- Behavioral Indicators: [C2 communication patterns associated with MaaS infrastructure]
## Associated Threat Actors
- Cybercrime ecosystem actors leveraging the MaaS platform.
## Detection Methods
- Detection should focus on network analysis of C2 traffic and behavioral detection of infostealer activity.
- Defenders are advised to deploy relevant detections like YARA, Sigma, and Snort based on associated activity.
## Mitigation Strategies
- Monitoring evolving malicious infrastructure dynamics.
- Enhancing network monitoring for C2 communications.
## Related Tools/Techniques
- Competitors disrupted by law enforcement: RedLine Stealer.
***
# Tool/Technique: AsyncRAT
## Overview
AsyncRAT is a prominent Remote Access Trojan (RAT) that remained a leading offensive security tool in 2024. It was frequently observed as the most prevalent malware across many victim regions globally.
## Technical Details
- Type: Malware family (Remote Access Trojan - RAT)
- Platform: [Implied cross-platform or Windows/Android focus due to prevalence data]
- Capabilities: Remote administration, persistent access, general remote control.
- First Seen: [Not specified, but noted as a leading threat persisting into 2024]
## MITRE ATT&CK Mapping
*Mappings are generalized based on RAT classification:*
- TA0002 - Execution
- TA0009 - Collection
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
## Functionality
### Core Capabilities
- Providing remote access and control capabilities to operators.
- High prevalence across wide geographic areas (North America, Europe, Oceania).
### Advanced Features
- High adaptability leading to its status as the most prevalent malware in most observed victim locations.
## Indicators of Compromise
- File Hashes: [Not provided in text]
- File Names: [Not provided in text]
- Registry Keys: [Not provided in text]
- Network Indicators: [C2 patterns associated with AsyncRAT]
- Behavioral Indicators: Discovery, unusual process creation, communication over common ports/protocols used by RATs.
## Associated Threat Actors
- Generally utilized by various cybercrime entities (implied by broad regional prevalence).
## Detection Methods
- Specific threat intelligence (YARA, Snort rules) tracking AsyncRAT variants.
- Behavioral monitoring for remote access tools.
## Mitigation Strategies
- Prioritizing security controls against top malware families like AsyncRAT.
## Related Tools/Techniques
- QuasarRAT, Cobalt Strike, SectopRAT, PlugX, GobRAT (other prevalent malware identified).
***
# Tool/Technique: Quasar RAT
## Overview
Quasar RAT is another leading Remote Access Trojan (RAT) that persisted as a dominant tool throughout 2024, often ranking just behind AsyncRAT in prevalence across several regions.
## Technical Details
- Type: Malware family (Remote Access Trojan - RAT)
- Platform: [Implied cross-platform or Windows focus]
- Capabilities: Remote administration and control.
- First Seen: [Not specified]
## MITRE ATT&CK Mapping
*Mappings are generalized based on RAT classification:*
- TA0009 - Collection
- TA0011 - Command and Control
## Functionality
### Core Capabilities
- Remote control functionalities.
- High usage observed among victims in North America and Asia.
### Advanced Features
- [No advanced features detailed beyond common RAT functionality and sustained prevalence.]
## Indicators of Compromise
- File Hashes: [Not provided in text]
- File Names: [Not provided in text]
- Registry Keys: [Not provided in text]
- Network Indicators: [C2 patterns associated with Quasar RAT]
- Behavioral Indicators: Remote shell activity, file system manipulation via remote channels.
## Associated Threat Actors
- Various cybercrime threat actors.
## Detection Methods
- Behavioral modeling to detect remote access sessions.
- Signature-based identification of Quasar RAT binaries.
## Mitigation Strategies
- Network segmentation and monitoring to limit lateral movement initiated by RATs.
## Related Tools/Techniques
- AsyncRAT, Cobalt Strike, SectopRAT.
***
# Tool/Technique: Cobalt Strike
## Overview
Cobalt Strike remains the dominant Offensive Security Tool (OST) framework used by threat actors, accounting for two-thirds of all Offensive Security Tool C2 servers tracked in 2024.
## Technical Details
- Type: Attack Tool/Framework (Adversary Simulation/C2 Framework)
- Platform: Cross-platform (primarily targets Windows/Linux endpoints via beacons)
- Capabilities: Command and control, post-exploitation, lateral movement, payload delivery.
- First Seen: [Established tool, noted for persistence in 2024]
## MITRE ATT&CK Mapping
*Mappings reflect framework capabilities:*
- TA0005 - Defense Evasion
- TA0008 - Lateral Movement
- TA0011 - Command and Control
- T1071.001 - Web Protocols
- T1573.002 - Encrypted Channel
## Functionality
### Core Capabilities
- Serving as the primary C2 backbone for high-level operations.
- Malleable C2 profiles allow for traffic shaping to evade detection.
### Advanced Features
- Highly configurable C2 infrastructure.
- jQuery was the most popular malleable profile used.
- The profile 'cs2modrewrite' targeted the highest number of victim countries.
## Indicators of Compromise
- File Hashes: [Not provided in text]
- File Names: [Not provided in text]
- Registry Keys: [Not provided in text]
- Network Indicators: Malleable C2 traffic patterns, specific header/URI structures defined by chosen profiles.
- Behavioral Indicators: Injection techniques, process creation indicative of beacon loading.
## Associated Threat Actors
- Widely used by numerous groups, including state-sponsored actors and ransomware affiliates (e.g., Rhysida ransomware groups utilize TDS infrastructure often linked to high-end tools like Cobalt Strike).
## Detection Methods
- Network traffic analysis specifically targeting known Cobalt Strike indicators/C2 profiles (like Malleable C2 artifacts).
- Behavior analysis (e.g., sharp process injection).
## Mitigation Strategies
- Hardening endpoints against initial execution and subsequent process injection.
- Advanced network monitoring capabilities to baseline and detect deviations from normal C2 traffic.
## Related Tools/Techniques
- Metasploit, Sliver, Brute Ratel C4 (both Sliver and Brute Ratel C4 detections showed significant increases).
***
# Tool/Technique: Latrodectus
## Overview
Latrodectus was the most dominant dropper and loader family observed in 2024, accounting for 33% of all related detections, despite disruptions in the broader loader ecosystem caused by law enforcement actions.
## Technical Details
- Type: Malware family (Dropper/Loader)
- Platform: Unknown (Likely Windows)
- Capabilities: Initial access, establishing foothold, downloading secondary payloads.
- First Seen: Most top families emerged post-2021, suggesting Latrodectus is a relatively new/recently dominant strain.
## MITRE ATT&CK Mapping
- TA0002 - Execution
- T1204 - User Execution (If associated with phishing/malicious documents)
- TA0003 - Persistence
- TA0005 - Defense Evasion
## Functionality
### Core Capabilities
- Guaranteed delivery of secondary stages/malware payloads.
- High throughput in the loader ecosystem for 2024.
### Advanced Features
- Rapid evolution evidenced by its dominance despite disruptions affecting competitor loaders, indicating short lifespan/rapid renewal cycles.
## Indicators of Compromise
- File Hashes: [Not provided in text]
- File Names: [Not provided in text]
- Registry Keys: [Not provided in text]
- Network Indicators: Initial beaconing post-execution.
- Behavioral Indicators: File drop activity, process hollowing or injection used to load next stage.
## Associated Threat Actors
- Actors requiring reliable initial access frameworks.
## Detection Methods
- Monitoring for common loader behaviors and execution chains.
- Signature-based detection targeting known Latrodectus binaries if available.
## Mitigation Strategies
- Strong application control policies.
- Email gateway security to preemptively filter malicious executables deployed by loaders.
## Related Tools/Techniques
- Other droppers/loaders experiencing ecosystem disruption.
***
# Tool/Technique: Traffic Distribution Systems (TDS) / TAG-124 Example
## Overview
Traffic Distribution Systems (TDS) continued to enhance cybercrime efficiency in 2024 by improving targeting, profitability, and evading detection. TAG-124 is cited as an example serving a broad user base, including ransomware groups like Rhysida.
## Technical Details
- Type: Technique/Infrastructure Category (Traffic Distribution System)
- Platform: Infrastructure layer (Web servers, CDNs, proxy services)
- Capabilities: Filtering traffic based on IP reputation, geolocation, system characteristics, and forwarding clean traffic or malicious payloads accordingly.
- First Seen: Established technique, highlighted for efficiency in 2024.
## MITRE ATT&CK Mapping
- TA0005 - Defense Evasion
- T1030 - Data Collecting (Used for fingerprinting)
- TA0011 - Command and Control
- T1190 - Exploit Public-Facing Application (Often shields the final payload server)
## Functionality
### Core Capabilities
- Improving the efficiency and profitability of attack chains.
- Ensuring only targeted victims receive the actual malware/exploit chain.
### Advanced Features
- TAG-124 specifically served a diverse set of users, including ransomware groups, indicating a commercial or shared infrastructure model.
## Indicators of Compromise
- File Hashes: [Not applicable to the TDS infrastructure itself]
- File Names: [Not applicable]
- Registry Keys: [Not applicable]
- Network Indicators: Anomalous traffic routing patterns, rapid redirection to final destinations.
- Behavioral Indicators: IP reputation checking behavior across high-volume entry points.
## Associated Threat Actors
- Broad user base including ransomware groups (e.g., Rhysida).
## Detection Methods
- Monitoring DNS resolution patterns and HTTP redirects.
- Analyzing geographic distribution of initial contact vs. delivery.
## Mitigation Strategies
- Implementing Geo-blocking or IP reputation filtering at the perimeter where appropriate.
- Reducing reliance on reputation built solely on network layer attributes.
## Related Tools/Techniques
- Use of CDNs and Relay Networks (e.g., ArcSilt, Cloudflare abuse).
***
# Tool/Technique: ArcSilt Relay Network
## Overview
ArcSilt is a relay network specifically noted for increased usage by Chinese state-sponsored groups in 2024. Relay networks are used to anonymize infrastructure and complicate victim identification.
## Technical Details
- Type: Infrastructure/Technique (Relay Network)
- Platform: Infrastructure Layer (Proxying/Anonymization services)
- Capabilities: Anonymization, blending traffic with legitimate services, obfuscating the true source of malicious activity.
- First Seen: Noted for expanded use in 2024 by Chinese APTs.
## MITRE ATT&CK Mapping
- TA0005 - Defense Evasion
- T1090 - Proxy
- T1090.003 - Multi-hop Proxy
## Functionality
### Core Capabilities
- Providing a layer of indirection between the attacker and the target.
- Blending malicious traffic with legitimate traffic streams.
### Advanced Features
- Intended to complicate victim identification by masking the originating C2.
## Indicators of Compromise
- Network Indicators: Traffic flowing from known ArcSilt nodes towards targeted victim environments.
- Behavioral Indicators: High volume of relayed traffic that shows abnormal termination points or request patterns.
## Associated Threat Actors
- Chinese state-sponsored groups.
## Detection Methods
- Identifying known infrastructure associated with ArcSilt.
- Analyzing traffic chains to detect high-hop proxy systems.
## Mitigation Strategies
- Utilizing threat intelligence feeds containing known relay infrastructure.
- Employing deception technologies to lure traffic away from legitimate looking relays.
## Related Tools/Techniques
- Abuse of other legitimate services (LIS) and CDNs (Cloudflare) used for proxying/hiding C2.
***
# Tool/Technique: GobRAT
## Overview
GobRAT is a backdoor specifically targeting Linux routers. It was detected among the top three prevalent malware families in the Netherlands in 2024.
## Technical Details
- Type: Malware family (Backdoor)
- Platform: Linux (Routers)
- Capabilities: Command execution and persistent presence on Linux-based networking devices.
- First Seen: Not specified, but prominent in 2024 European activity.
## MITRE ATT&CK Mapping
- TA0003 - Persistence
- TA0002 - Execution
- T1059 - Command and Scripting Interpreter (Linux shell)
## Functionality
### Core Capabilities
- Maintaining unauthorized access on embedded Linux systems (routers).
- Malware written in Go (Golang).
### Advanced Features
- Targeting network edge devices (routers) expands the attack surface beyond traditional user workstations.
## Indicators of Compromise
- File Hashes: [Not provided in text]
- File Names: [Not provided in text]
- Registry Keys: [N/A for Linux endpoint binary]
- Network Indicators: Beaconing or C2 communication originating from the router interface.
- Behavioral Indicators: Evidence of Go language binary execution on router OS.
## Associated Threat Actors
- Actors targeting infrastructure devices in Europe (specifically the Netherlands).
## Detection Methods
- Network forensics on perimeter devices.
- Scanning router firmware/filesystem for unauthorized binaries.
## Mitigation Strategies
- Strict security hardening and credential management for network devices/routers.
- Network monitoring for anomalous outbound connections from IoT/Router segments.
## Related Tools/Techniques
- Other malware targeting IoT/network infrastructure.