Full Report
We analyze 2024's key spam and phishing statistics and trends: the hunt for crypto wallets, Hamster Kombat, online promotions via neural networks, fake vacation schedules, and more.
Analysis Summary
This request requires summarizing a provided text block. However, the provided context block is primarily an excerpt from a Kaspersky report or webpage detailing statistics on spam/phishing in 2024 and referencing several distinct malware families and threat actors mentioned in related research links (EAGERBEE, BellaCPP, Lazarus/CookiePlus, Careto).
Since the context does not provide a detailed technical description of a single, specific tool, malware, or technique, I will structure the summary around the *most concrete malware/tool mentions* found in the text, focusing on the description snippets available, particularly the APT-related mentions, as these lend themselves best to the requested structured format.
---
# Tool/Technique: EAGERBEE Backdoor
## Overview
EAGERBEE is a backdoor whose updated and novel components have been analyzed by Kaspersky researchers, revealing a possible connection to the CoughingDown APT actor operating in the Middle East.
## Technical Details
- Type: Malware family (Backdoor)
- Platform: Unknown (Implied server/endpoint communication based on description)
- Capabilities: Establishing persistence and communication channel for remote control.
- First Seen: Not specified in the provided text.
## MITRE ATT&CK Mapping
*The direct mapping for EAGERBEE's specific techniques is not provided in the text, but standard backdoor functionality maps below:*
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
- TA0003 - Persistence
- T1547 - Boot or Logon Autostart Execution
## Functionality
### Core Capabilities
- Module analysis suggests it functions as a modular backdoor allowing for command and control.
### Advanced Features
- The analysis involved updated and novel components.
- Possible attribution link to the CoughingDown APT actor.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: N/A
## Associated Threat Actors
- CoughingDown APT (Possible connection)
## Detection Methods
- Detection methods are likely based on analysis of its updated and novel components.
## Mitigation Strategies
- Patching and network monitoring relevant to activity in the Middle East may aid detection.
## Related Tools/Techniques
- Other malware components associated with CoughingDown (if confirmed).
---
# Tool/Technique: BellaCPP Malware
## Overview
BellaCPP is a newly discovered variant of the BellaCiao malware, distinguished by being written in the C++ programming language, discovered during an incident investigation.
## Technical Details
- Type: Malware variant (BellaCiao variant)
- Platform: Unknown (Likely Windows, given typical malware landscape)
- Capabilities: Functionality derived from the original BellaCiao malware.
- First Seen: Not specified in the provided text.
## MITRE ATT&CK Mapping
*Based on the parent family BellaCiao, often categorized as banking malware or remote access:*
- TA0002 - Execution
- T1059 - Command and Scripting Interpreter
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information
## Functionality
### Core Capabilities
- Inherits functionality from the original BellaCiao malware.
### Advanced Features
- Rewritten in C++, potentially offering performance or evasion advantages over the original .NET version.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: N/A
## Associated Threat Actors
- Not explicitly named in connection with BellaCPP, but related to the investigation context of BellaCiao.
## Detection Methods
- Signature detection targeting C++ compiled artifacts associated with BellaCiao indicators.
## Mitigation Strategies
- Application control/whitelisting, monitoring for unexpected C++ executables.
## Related Tools/Techniques
- BellaCiao (.NET variant)
---
# Tool/Technique: CookiePlus Backdoor
## Overview
CookiePlus is described as a new modular backdoor utilized by the Lazarus group in attacks targeting employees of a nuclear-related organization.
## Technical Details
- Type: Malware (Modular Backdoor)
- Platform: Unknown (Likely Windows)
- Capabilities: Modular functionality, likely including C2 communication and data exfiltration inherent to Lazarus operations.
- First Seen: Not specified in the provided text.
## MITRE ATT&CK Mapping
*Focusing on the modular backdoor nature and APT usage:*
- TA0011 - Command and Control
- T1105 - Ingress Tool Transfer
- TA0001 - Initial Access
- T1566 - Phishing (Contextually related to Lazarus methods)
## Functionality
### Core Capabilities
- Serves as a backdoor to maintain access.
- Modular design suggests adaptability and varied functions.
### Advanced Features
- Used in conjunction with existing Lazarus tools like MISTPEN, LPEClient, RollMid, and CookieTime.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: N/A
## Associated Threat Actors
- Lazarus Group
## Detection Methods
- Behavioral analysis targeting communication patterns indicative of a modular backdoor framework.
## Mitigation Strategies
- Enhanced endpoint detection and response (EDR) for highly targeted sectors (nuclear/critical infrastructure).
## Related Tools/Techniques
- MISTPEN, LPEClient, RollMid, CookieTime (Lazarus toolkit)
---
# Technique: Phishing/Social Engineering Scams (Travel and Social Media Focused)
## Overview
This section details various social engineering schemes observed in 2024, primarily targeting individuals and travel agencies using fraudulent websites, giveaways, and verification scams across travel, social media (WhatsApp, Instagram, Facebook), and messaging platforms (Telegram).
## Technical Details
- Type: Technique (Social Engineering/Phishing)
- Platform: Web/Mobile Messaging Applications
- Capabilities: Credential harvesting, financial theft, malware installation via deceptive interfaces.
- First Seen: Classic tactics revised in 2024 contexts.
## MITRE ATT&CK Mapping
- T1566.001 - Phishing: Spearphishing Attachment (If attachments were used, though links were primary)
- T1566.002 - Phishing: Spearphishing Link
- T1566.003 - Phishing: Watering Hole (If sites are specifically set up for a target demographic)
- T1574.002 - Create Account (If used to maintain access)
## Functionality
### Core Capabilities
- **Travel Scams:** Fake booking sites requesting credentials or credit card details under the guise of payment verification or reservation completion. Funds are stolen directly instead of being frozen.
- **Social Media Verification:** Replicating WhatsApp/messenger login screens to harvest one-time codes and credentials.
- **Giveaways/Prizes:** Luring victims with promised prizes (e.g., airline tickets) after completing surveys and sharing the offer, often requiring a small "fee" to finalize the "prize" claim.
### Advanced Features
- **Brand Impersonation:** Using multiple brand names simultaneously (e.g., Booking and Airbnb) on a single fraudulent site.
- **Urgency Creation:** Displaying false warnings about dwindling availability or imminent payment deadlines to rush user input.
- **Malware Delivery:** Using attractive free offers (e.g., "advanced Facebook Lite," "Telegram Premium") as a pretext to install malware instead of delivering the promised application.
## Indicators of Compromise
- File Hashes: N/A (Relates to delivered malware, which is not detailed)
- File Names: N/A (Relates to delivered malware, which is not detailed)
- Registry Keys: N/A
- Network Indicators: URLs mimicking popular travel/social media domains (e.g., URLs mimicking hotel booking sites, WhatsApp login pages).
- Behavioral Indicators: Requests for login codes sent via SMS/Telegram being entered on external third-party websites.
## Associated Threat Actors
- Unspecified cybercriminals/scammers leveraging current events and popular services.
## Detection Methods
- **Signature/Heuristic Detection:** Browser security features blocking known phishing URLs.
- **Behavioral Detection:** Monitoring for users entering sensitive credentials (1FA/2FA codes) on non-official domains or entering Facebook credentials to access Instagram services via a third party.
## Mitigation Strategies
- User education on verifying URLs, recognizing urgency tactics, and never entering security codes on sites outside the official application environment.
- Restricting third-party application permissions that require full credential access to social media accounts.
## Related Tools/Techniques
- Classic credential harvesting forms, malware deployment via social engineering.