There was a distinct surge in separate malware campaigns delivering the same payload last year, research shows, suggesting hackers are increasingly procuring tools from ‘malware as a service’ platforms.
The malware as a service model is becoming the dominant mode of cyber attacks as the cyber crime space continues to mature into a lucrative ecosystem for hackers for hire.
New research from Darktrace found the malware as a service (MaaS) model was responsible for 57% of all cyber threats detected in the second half of 2024, up 17% from the first half of the year.
A report from WatchGuard also warned it observed an “astronomical surge” in total malware threats in the third quarter of 2024, surpassing 420,000.
Total malware threats refers to the number of unique attempts detected on WatchGuard-protected endpoints with any duplicates - those with the same hash are not counted.
WatchGuard noted this represented a 300% increase on the previous quarter’s figures, which is the largest quarterly rise it has ever observed.
The report stated that one might conclude this surge was driven by an overall increase in new threats, but WatchGuard found that there was actually an “uncharacteristic decline in new threats”.
It noted that the results of its telemetry indicate there has been a “flood of homogenous spam-like malware arriving on endpoints, likely separate malware campaigns with the same payload”.
The report further stated that there are often numerous duplicate malware families from quarter to quarter, but this time there was only one: Glupteba.
WatchGuard described Glupteba as a multi-faceted malware with various capabilities, such as acting as a botnet, stealing information, mining cryptocurrency, and loading other malware onto the system.
Malware as a service rise propped up by phishing attacks
Phishing remains the dominant initial access vector used in these attacks, with Darktrace recording over 30.4 million phishing emails targeting its customers between December 2023 and 2024.
Just under two-fifths (38%) of these emails were targeted spear phishing attacks tailored for ‘high value individuals’.
Darktrace noted 32% of the detected phishing emails contained AI generated text that displayed some form of ‘linguistic complexity’ such as increased text volume, punctuation, and sentence length.
The sophistication of these techniques has blossomed, the report added, stating that 70% of the emails containing AI-enhanced phishing content passed the popular DMARC authentication system, which is used to verify the legitimacy of incoming emails.
Moreover, 55% of all the emails had successfully found their way through all of the target organization’s existing layers before being detected.
Attacks leveraging QR codes, or qishing, have become a growing trend in today’s threat landscape, exploiting the often-weaker security of mobile devices, and Darktrace detected just under a million (940,000) malicious QR codes in the emails it analyzed.
Legitimate service attacks are another key focus
The report also noted threat actors were often seen abusing legitimate services to lend authenticity to their scams. The researchers observed hackers exploiting a number of trusted services such as Microsoft Sharepoint, Zoom Docs, QuickBooks, HelloSign, and Adobe to disguise their sender address.
In addition, trusted service providers were also appropriated as parts of the threat actor’s attack infrastructure, Darktrace noted.
“Threat actors were frequently observed using redirects via legitimate services like Google to deliver malicious payloads, effectively evading detection,” the report said.
“Additionally,Darktrace noted instances where attackers hijacked email accounts, including Amazon Simple Email Service (SES) accounts, belonging to legitimate third parties, such as business partners and trusted vendors.”
RELATED WHITEPAPER
ITPro learned that living off trusted services (LoTS) attacks are becoming an increasingly important part of the threat actors arsenal as general security awareness among their targets grows.
A recent report from security firm Mimecast explained that while these tactics often make their attacks more complex, it helps attackers get around increased authentication checks on corporate accounts.
It added that major cloud providers whose services are often abused in these attacks, namely Google and Microsoft, have begun taking steps to root out the malicious use of their platforms in such attacks.
As a result, threat actors have been observed migrating to slightly smaller trusted services providers that they can use to lend authenticity to their attacks.
MORE FROM ITPRO
-
Trump's AI executive order could leave US in a 'regulatory vacuum'News Citing a "patchwork of 50 different regulatory regimes" and "ideological bias", President Trump wants rules to be set at a federal level
-
TPUs: Google's home advantageITPro Podcast How does TPU v7 stack up against Nvidia's latest chips – and can Google scale AI using only its own supply?
-
Chinese hackers are using ‘stealthy and resilient’ Brickstorm malware to target VMware servers and hide in networks for months at a timeNews Organizations, particularly in the critical infrastructure, government services, and facilities and IT sectors, need to be wary of Brickstorm
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Shai-Hulud malware is back with a vengeance and has hit more than 19,000 GitHub repositories so far — here's what developers need to knowNews The malware has compromised more than 700 widely-used npm packages, and is spreading fast
-
The US, UK, and Australia just imposed sanctions on a Russian cyber crime group – 'we are exposing their dark networks and going after those responsible'News Media Land offers 'bulletproof' hosting services used for ransomware and DDoS attacks around the world
-
Europol hails triple takedown with Rhadamanthys, VenomRAT, and Elysium sting operationsNews The Rhadamanthys infostealer operation is one of the latest victims of Europol's Operation Endgame, with more than a thousand servers taken down
-
Google wants to take hackers to courtNews You don't have a package waiting for you, it's a scam – and Google is fighting back
-
Hackers are using these malicious npm packages to target developers on Windows, macOS, and Linux systems – here’s how to stay safeNews Security experts have issued a warning to developers after ten malicious npm packages were found to deliver infostealer malware across Windows, Linux, and macOS systems.
-
77% of security leaders say they'd fire staff who fall for phishing scams, even though they've done the same thingNews A new report uncovers worrying complacency amongst IT and security leaders
