Full Report
A view of the H2 2024 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts
Analysis Summary
# Incident Report: H2 2024 Threat Landscape Summary
## Executive Summary
The second half of 2024 saw significant shifts in the cyber threat landscape, characterized by the rise of RansomHub in the ransomware arena and the popularization of Formbook and Lumma Stealer as dominant infostealers following the takedown of RedLine Stealer. A notable trend included the exploitation of Progressive Web App (PWA) and WebAPK technologies to bypass security on mobile platforms, leading to an increase in financial credential theft.
## Incident Details
- **Discovery Date:** General telemetry review covering H2 2024 (ending December 16, 2024)
- **Incident Date:** Throughout H2 2024
- **Affected Organization:** Not a single targeted event; generalized threat landscape observations.
- **Sector:** Wide-ranging, with specific impact noted on finance/cryptocurrency and accommodation booking sectors.
- **Geography:** Global, based on ESET telemetry observations.
## Timeline of Events
### Initial Access
- **Date/Time:** Throughout H2 2024
- **Vector:** Social engineering (deepfakes/scams), PWA/WebAPK technology exploitation, compromised legitimate accounts (accommodation platforms).
- **Details:** Attacks using deepfake videos and company branding (HTML/Nomani scams) increased by 335%. Novel mobile attacks utilized PWAs/WebAPKs to install malware without explicit 'unknown source' permissions.
### Lateral Movement
- *Context implies attacker activity within compromised environments, specifically related to infostealers maintaining persistence (e.g., Formbook MaaS).*
### Data Exfiltration/Impact
- **Data Stolen:** Cryptocurrency wallet data (Password Stealing Ware on macOS saw a >100% increase; Android financial threats grew by 20%), sensitive data targeted by infostealers (Formbook).
- **Ransom Payment Extortion:** Hundreds of victims attributed to RansomHub ransomware activity.
### Detection & Response
- **How it was discovered:** ESET telemetry monitoring and threat research analysis.
- **Response actions taken:** International authorities conducted a takedown operation against RedLine Stealer in October 2024.
## Attack Methodology
- **Initial Access:** PWA/WebAPK exploitation on mobile, social engineering (scams), phishing/fraudulent payment pages (Telekopye on booking platforms).
- **Persistence:** MaaS models (Formbook, Lumma Stealer) suggest established persistence mechanisms.
- **Privilege Escalation:** Not explicitly detailed, but implied for successful ransomware deployment (RansomHub).
- **Defense Evasion:** PWAs/WebAPKs evade security checks tied to traditional 'install from unknown sources' on mobile devices.
- **Credential Access:** Infostealers (Formbook, Lumma, RedLine) targeting passwords, banking apps, and crypto wallets.
- **Discovery:** General reconnaissance associated with active C2 operations of MaaS platforms.
- **Lateral Movement:** Not explicitly detailed, but standard for ransomware operators like RansomHub.
- **Collection:** Targeting specific data types: cryptocurrency wallet credentials, general sensitive data.
- **Exfiltration:** Implied by infostealer activity.
- **Impact:** Financial loss, data theft, operational disruption (ransomware).
## Impact Assessment
- **Financial:** Significant losses expected due to ransomware demands and cryptocurrency theft acceleration.
- **Data Breach:** Cryptocurrency wallet credentials, banking information, and various sensitive data targeted by infostealers.
- **Operational:** Disruption caused by RansomHub ransomware campaigns.
- **Reputational:** Damage from investment scams (HTML/Nomani) and fraudulent accommodation booking schemes (Telekopye).
## Indicators of Compromise
*Since this is a broad threat landscape report, specific IOCs are not provided. Indicators would relate to the active MaaS operations.*
- **Network indicators:** Associated C2 domains/IPs for Formbook, Lumma Stealer, and RansomHub infrastructure (defanged).
- **File indicators:** Malware hashes associated with known Formbook payloads, Lumma Stealer binaries, and RansomHub encryption modules.
- **Behavioral indicators:** Unusually high volume of PWA/WebAPK traffic leading to suspicious credential input fields; suspicious communication attempts by newly deployed ransomware.
## Response Actions
- **Containment measures:** For PWA/WebAPK related compromises, remediation would focus on mobile endpoint security and user education. For ransomware, isolating affected systems.
- **Eradication steps:** Removal of Infostealer variants (Formbook, Lumma) across endpoints.
- **Recovery actions:** Restoring services encrypted by RansomWare; resetting credentials exposed via infostealers.
## Lessons Learned
- **Key takeaways:** MaaS models continue to lower the barrier to entry for cybercrime, leading to the fast dominance of new threats when established ones (like RedLine) are removed. Mobile security is weakening due to the rise of seemingly benign installation methods like PWAs/WebAPKs.
- **What could have been done better:** Organizations need enhanced controls specifically monitoring mobile application installation permissions and processes, especially concerning PWA implementation.
## Recommendations
- **Prevention measures for similar incidents:** Harden mobile device policies to scrutinize PWA/WebAPK installations. Implement robust protection against credential theft malware (infostealers). Maintain strong patch management to counter exploitation pathways used by MaaS platforms. Increase monitoring for social engineering lures involving deepfakes or investment promises.