There was a distinct surge in separate malware campaigns delivering the same payload last year, research shows, suggesting hackers are increasingly procuring tools from ‘malware as a service’ platforms.
The malware as a service model is becoming the dominant mode of cyber attacks as the cyber crime space continues to mature into a lucrative ecosystem for hackers for hire.
New research from Darktrace found the malware as a service (MaaS) model was responsible for 57% of all cyber threats detected in the second half of 2024, up 17% from the first half of the year.
A report from WatchGuard also warned it observed an “astronomical surge” in total malware threats in the third quarter of 2024, surpassing 420,000.
Total malware threats refers to the number of unique attempts detected on WatchGuard-protected endpoints with any duplicates - those with the same hash are not counted.
WatchGuard noted this represented a 300% increase on the previous quarter’s figures, which is the largest quarterly rise it has ever observed.
The report stated that one might conclude this surge was driven by an overall increase in new threats, but WatchGuard found that there was actually an “uncharacteristic decline in new threats”.
It noted that the results of its telemetry indicate there has been a “flood of homogenous spam-like malware arriving on endpoints, likely separate malware campaigns with the same payload”.
The report further stated that there are often numerous duplicate malware families from quarter to quarter, but this time there was only one: Glupteba.
WatchGuard described Glupteba as a multi-faceted malware with various capabilities, such as acting as a botnet, stealing information, mining cryptocurrency, and loading other malware onto the system.
Malware as a service rise propped up by phishing attacks
Phishing remains the dominant initial access vector used in these attacks, with Darktrace recording over 30.4 million phishing emails targeting its customers between December 2023 and 2024.
Just under two-fifths (38%) of these emails were targeted spear phishing attacks tailored for ‘high value individuals’.
Darktrace noted 32% of the detected phishing emails contained AI generated text that displayed some form of ‘linguistic complexity’ such as increased text volume, punctuation, and sentence length.
The sophistication of these techniques has blossomed, the report added, stating that 70% of the emails containing AI-enhanced phishing content passed the popular DMARC authentication system, which is used to verify the legitimacy of incoming emails.
Moreover, 55% of all the emails had successfully found their way through all of the target organization’s existing layers before being detected.
Attacks leveraging QR codes, or qishing, have become a growing trend in today’s threat landscape, exploiting the often-weaker security of mobile devices, and Darktrace detected just under a million (940,000) malicious QR codes in the emails it analyzed.
Legitimate service attacks are another key focus
The report also noted threat actors were often seen abusing legitimate services to lend authenticity to their scams. The researchers observed hackers exploiting a number of trusted services such as Microsoft Sharepoint, Zoom Docs, QuickBooks, HelloSign, and Adobe to disguise their sender address.
In addition, trusted service providers were also appropriated as parts of the threat actor’s attack infrastructure, Darktrace noted.
“Threat actors were frequently observed using redirects via legitimate services like Google to deliver malicious payloads, effectively evading detection,” the report said.
“Additionally,Darktrace noted instances where attackers hijacked email accounts, including Amazon Simple Email Service (SES) accounts, belonging to legitimate third parties, such as business partners and trusted vendors.”
RELATED WHITEPAPER
ITPro learned that living off trusted services (LoTS) attacks are becoming an increasingly important part of the threat actors arsenal as general security awareness among their targets grows.
A recent report from security firm Mimecast explained that while these tactics often make their attacks more complex, it helps attackers get around increased authentication checks on corporate accounts.
It added that major cloud providers whose services are often abused in these attacks, namely Google and Microsoft, have begun taking steps to root out the malicious use of their platforms in such attacks.
As a result, threat actors have been observed migrating to slightly smaller trusted services providers that they can use to lend authenticity to their attacks.
MORE FROM ITPRO
-
RSAC Conference 2025: The front line of cyber innovationITPro Podcast Ransomware, quantum computing, and an unsurprising focus on AI were highlights of this year's event
-
Anthropic CEO Dario Amodei thinks we're burying our heads in the sand on AI job lossesNews With AI set to hit entry-level jobs especially, some industry execs say clear warning signs are being ignored
-
FIN6 attackers target recruiters with fraudulent resumesNews The group's phishing methods protect it from many detection tools, researchers warn
-
OpenAI is clamping down on ChatGPT accounts used to spread malwareNews Tools like ChatGPT are being used by threat actors to automate and amplify campaigns
-
100,000 accounts have been hit in a HMRC scam campaign, but the tax office says it wasn't hacked – here's whyNews Organized criminals used phished data to set up dodgy HMRC accounts and demand tax rebates
-
It's been a bad week for ransomware operatorsNews A host of ransomware strains have been neutralized, servers seized, and key players indicted
-
Employee phishing training is working – but don’t get complacentNews Educating staff on how to avoid phishing attacks can cut the rate by 80%
-
Russian hackers tried to lure diplomats with wine tasting – sound familiar? It’s an update to a previous campaign by the notorious Midnight Blizzard groupNews The Midnight Blizzard threat group has been targeting European diplomats with malicious emails offering an invite to wine tasting events, according to Check Point.
-
This hacker group is posing as IT helpdesk workers to target enterprises – and researchers warn its social engineering techniques are exceptionally hard to spotNews The Luna Moth hacker group is ramping up attacks on firms across a range of industries with its 'callback phishing' campaign, according to security researchers.
-
Healthcare organizations are turning a blind eye to phishing attacks
News A survey reveals that most attacks go unreported, putting patient data at risk
