Why ‘malware as a service’ is becoming a serious problem
Malware builders are selling their services and contributed to a 300% increase in attacks at the end of 2024
There was a distinct surge in separate malware campaigns delivering the same payload last year, research shows, suggesting hackers are increasingly procuring tools from ‘malware as a service’ platforms.
The malware as a service model is becoming the dominant mode of cyber attacks as the cyber crime space continues to mature into a lucrative ecosystem for hackers for hire.
New research from Darktrace found the malware as a service (MaaS) model was responsible for 57% of all cyber threats detected in the second half of 2024, up 17% from the first half of the year.
A report from WatchGuard also warned it observed an “astronomical surge” in total malware threats in the third quarter of 2024, surpassing 420,000.
Total malware threats refers to the number of unique attempts detected on WatchGuard-protected endpoints with any duplicates - those with the same hash are not counted.
WatchGuard noted this represented a 300% increase on the previous quarter’s figures, which is the largest quarterly rise it has ever observed.
The report stated that one might conclude this surge was driven by an overall increase in new threats, but WatchGuard found that there was actually an “uncharacteristic decline in new threats”.
It noted that the results of its telemetry indicate there has been a “flood of homogenous spam-like malware arriving on endpoints, likely separate malware campaigns with the same payload”.
The report further stated that there are often numerous duplicate malware families from quarter to quarter, but this time there was only one: Glupteba.
WatchGuard described Glupteba as a multi-faceted malware with various capabilities, such as acting as a botnet, stealing information, mining cryptocurrency, and loading other malware onto the system.
Malware as a service rise propped up by phishing attacks
Phishing remains the dominant initial access vector used in these attacks, with Darktrace recording over 30.4 million phishing emails targeting its customers between December 2023 and 2024.
Just under two-fifths (38%) of these emails were targeted spear phishing attacks tailored for ‘high value individuals’.
Darktrace noted 32% of the detected phishing emails contained AI generated text that displayed some form of ‘linguistic complexity’ such as increased text volume, punctuation, and sentence length.
The sophistication of these techniques has blossomed, the report added, stating that 70% of the emails containing AI-enhanced phishing content passed the popular DMARC authentication system, which is used to verify the legitimacy of incoming emails.
Moreover, 55% of all the emails had successfully found their way through all of the target organization’s existing layers before being detected.
Attacks leveraging QR codes, or qishing, have become a growing trend in today’s threat landscape, exploiting the often-weaker security of mobile devices, and Darktrace detected just under a million (940,000) malicious QR codes in the emails it analyzed.
Legitimate service attacks are another key focus
The report also noted threat actors were often seen abusing legitimate services to lend authenticity to their scams. The researchers observed hackers exploiting a number of trusted services such as Microsoft Sharepoint, Zoom Docs, QuickBooks, HelloSign, and Adobe to disguise their sender address.
In addition, trusted service providers were also appropriated as parts of the threat actor’s attack infrastructure, Darktrace noted.
“Threat actors were frequently observed using redirects via legitimate services like Google to deliver malicious payloads, effectively evading detection,” the report said.
“Additionally,Darktrace noted instances where attackers hijacked email accounts, including Amazon Simple Email Service (SES) accounts, belonging to legitimate third parties, such as business partners and trusted vendors.”
RELATED WHITEPAPER
ITPro learned that living off trusted services (LoTS) attacks are becoming an increasingly important part of the threat actors arsenal as general security awareness among their targets grows.
A recent report from security firm Mimecast explained that while these tactics often make their attacks more complex, it helps attackers get around increased authentication checks on corporate accounts.
It added that major cloud providers whose services are often abused in these attacks, namely Google and Microsoft, have begun taking steps to root out the malicious use of their platforms in such attacks.
As a result, threat actors have been observed migrating to slightly smaller trusted services providers that they can use to lend authenticity to their attacks.
MORE FROM ITPRO
-
Why patching velocity matters as Claude Mythos supercharges vulnerability discoveryFrontier AI models such as Claude Mythos and GPT-5.5 make patching more urgent than ever. How can firms increase the velocity at which they apply fixes and mitigations?
-
The UK is running on fumes as data center build-outs can’t keep pace with demandNews The country's vacancy rate has dropped sharply, with much of the pipeline early-stage and uncertain
-
Developers urged to remain vigilant amid continued Miasma malware risksNews The Miasma malware package uses legitimate OIDC tokens, making it indistinguishable from routine code updates
-
Claude users beware, hackers are using a fake website to dupe developers and deliver malwareNews 'Beagle' is deployed through a Dynamic Link Library (DLL) sideloading chain, and gives attackers remote access to the system
-
Beware of emails threatening a code of conduct reviewNews A widespread phishing campaign has targeted tens of thousands of employees
-
‘The inbox is no longer the only frontline’: Phishing attacks are evolving as cyber criminals ramp up ‘multi-channel’ campaigns over email and Microsoft TeamsNews New research shows threat actors are ramping up “multi-channel” phishing attacks by combining lures via email and Microsoft Teams
-
North Korean hackers are duping freelance developers with fake interviews to steal cryptocurrency and deliver malware — Sophos warns the 'Nickel Alley' group is using LinkedIn, Upwork, and Fiverr to target victimsNews A fake interview process uses coding tests and repo downloads to deliver malware
-
Tycoon 2FA is down, but not out – researchers warn the phishing as a service operation is still a huge threat to businesses
News Millions of Tycoon 2FA attacks are still hitting businesses, according to research from Barracuda
-
Zephyr Energy hackers swiped £700,000 after redirecting a contractor paymentNews Payment to a Zephyr Energy contractor was siphoned off, but the incident has been contained and new security measures implemented
-
‘The build pipeline is becoming the new frontline’: Axios npm compromise highlights growing software supply chain risks, experts warnNews Cyber criminals exploited a hijacked maintainer account to compromise one of the world's most widely used JavaScript libraries
