Why ‘malware as a service’ is becoming a serious problem
Malware builders are selling their services and contributed to a 300% increase in attacks at the end of 2024
There was a distinct surge in separate malware campaigns delivering the same payload last year, research shows, suggesting hackers are increasingly procuring tools from ‘malware as a service’ platforms.
The malware as a service model is becoming the dominant mode of cyber attacks as the cyber crime space continues to mature into a lucrative ecosystem for hackers for hire.
New research from Darktrace found the malware as a service (MaaS) model was responsible for 57% of all cyber threats detected in the second half of 2024, up 17% from the first half of the year.
A report from WatchGuard also warned it observed an “astronomical surge” in total malware threats in the third quarter of 2024, surpassing 420,000.
Total malware threats refers to the number of unique attempts detected on WatchGuard-protected endpoints with any duplicates - those with the same hash are not counted.
WatchGuard noted this represented a 300% increase on the previous quarter’s figures, which is the largest quarterly rise it has ever observed.
The report stated that one might conclude this surge was driven by an overall increase in new threats, but WatchGuard found that there was actually an “uncharacteristic decline in new threats”.
It noted that the results of its telemetry indicate there has been a “flood of homogenous spam-like malware arriving on endpoints, likely separate malware campaigns with the same payload”.
The report further stated that there are often numerous duplicate malware families from quarter to quarter, but this time there was only one: Glupteba.
WatchGuard described Glupteba as a multi-faceted malware with various capabilities, such as acting as a botnet, stealing information, mining cryptocurrency, and loading other malware onto the system.
Malware as a service rise propped up by phishing attacks
Phishing remains the dominant initial access vector used in these attacks, with Darktrace recording over 30.4 million phishing emails targeting its customers between December 2023 and 2024.
Just under two-fifths (38%) of these emails were targeted spear phishing attacks tailored for ‘high value individuals’.
Darktrace noted 32% of the detected phishing emails contained AI generated text that displayed some form of ‘linguistic complexity’ such as increased text volume, punctuation, and sentence length.
The sophistication of these techniques has blossomed, the report added, stating that 70% of the emails containing AI-enhanced phishing content passed the popular DMARC authentication system, which is used to verify the legitimacy of incoming emails.
Moreover, 55% of all the emails had successfully found their way through all of the target organization’s existing layers before being detected.
Attacks leveraging QR codes, or qishing, have become a growing trend in today’s threat landscape, exploiting the often-weaker security of mobile devices, and Darktrace detected just under a million (940,000) malicious QR codes in the emails it analyzed.
Legitimate service attacks are another key focus
The report also noted threat actors were often seen abusing legitimate services to lend authenticity to their scams. The researchers observed hackers exploiting a number of trusted services such as Microsoft Sharepoint, Zoom Docs, QuickBooks, HelloSign, and Adobe to disguise their sender address.
In addition, trusted service providers were also appropriated as parts of the threat actor’s attack infrastructure, Darktrace noted.
“Threat actors were frequently observed using redirects via legitimate services like Google to deliver malicious payloads, effectively evading detection,” the report said.
“Additionally,Darktrace noted instances where attackers hijacked email accounts, including Amazon Simple Email Service (SES) accounts, belonging to legitimate third parties, such as business partners and trusted vendors.”
RELATED WHITEPAPER
ITPro learned that living off trusted services (LoTS) attacks are becoming an increasingly important part of the threat actors arsenal as general security awareness among their targets grows.
A recent report from security firm Mimecast explained that while these tactics often make their attacks more complex, it helps attackers get around increased authentication checks on corporate accounts.
It added that major cloud providers whose services are often abused in these attacks, namely Google and Microsoft, have begun taking steps to root out the malicious use of their platforms in such attacks.
As a result, threat actors have been observed migrating to slightly smaller trusted services providers that they can use to lend authenticity to their attacks.
MORE FROM ITPRO
-
What is Microsoft Maia?Explainer Microsoft's in-house chip is planned to a core aspect of Microsoft Copilot and future Azure AI offerings
-
If Satya Nadella wants us to take AI seriously, let’s forget about mass adoption and start with a return on investment for those already using itOpinion If Satya Nadella wants us to take AI seriously, let's start with ROI for businesses
-
Microsoft warns of rising AitM phishing attacks on energy sectorNews The campaign abused SharePoint file sharing services to deliver phishing payloads and altered inbox rules to maintain persistence
-
LastPass issues alert as customers targeted in new phishing campaignNews LastPass has urged customers to be on the alert for phishing emails amidst an ongoing scam campaign that encourages users to backup vaults.
-
Hacked London council warns 100,000 households at risk of follow-up scamsNews The council is warning residents they may be at increased risk of phishing scams in the wake of the cyber attack.
-
Warning issued as surge in OAuth device code phishing leads to M365 account takeoversNews Successful attacks enable full M365 account access, opening the door to data theft, lateral movement, and persistent compromise
-
Complacent Gen Z and Millennial workers are more likely to be duped by social engineering attacksNews Overconfidence and a lack of security training are putting organizations at risk
-
Chinese hackers are using ‘stealthy and resilient’ Brickstorm malware to target VMware servers and hide in networks for months at a timeNews Organizations, particularly in the critical infrastructure, government services, and facilities and IT sectors, need to be wary of Brickstorm
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Shai-Hulud malware is back with a vengeance and has hit more than 19,000 GitHub repositories so far — here's what developers need to knowNews The malware has compromised more than 700 widely-used npm packages, and is spreading fast
