In the ever-evolving cybersecurity panorama, 2023 witnessed a dramatic surge within the sophistication of cyber threats and malware. AT&T Cybersecurity Alien Labs reviewed the massive occasions of 2023 and the way malware morphed this yr to attempt new methods to breach and wreak havoc.
This yr’s occasions saved cybersecurity specialists on their toes, from increasing malware variants to introducing new menace actors and assault strategies. Here are among the most compelling developments, highlighting malware’s evolving capabilities and the challenges defenders face.
Highlights of the yr: Emerging developments and notable incidents
As the yr unfolded, a number of developments and incidents left an indelible mark on the cybersecurity panorama:
Exploiting OneBe aware for malicious payloads
Cybercriminals leveraged Microsoft OneBe aware to ship many malicious payloads to victims, together with Redline, AgentTesla, Quasar RAT, and others. This beforehand underutilized Office program grew to become a popular instrument as a consequence of its low suspicion and widespread utilization.
search engine optimisation poisoning and Google Ads
Malicious actors resorted to search engine optimisation poisoning techniques, deploying phishing hyperlinks via Google Ads to deceive unsuspecting victims. These hyperlinks result in cloned, benign net pages, avoiding Google’s detection and remaining energetic for prolonged intervals. Prominent malware households, together with Raccoon Stealer and IcedID, capitalized on this technique.
Exploiting geopolitical occasions
Cybercriminals exploited the geopolitical local weather, significantly the Middle East battle, as a lure for his or her assaults. This pattern mirrored the earlier yr’s Ukraine-related phishing campaigns and crypto scams.
APTs: State-sponsored espionage continues to current challenges
Advanced Persistent Threats (APTs) continued to pose a big menace in 2023:
- Snake: CISA reported on the Snake APT, a complicated cyber-espionage instrument related to the Russian Federal Security Service (FSB). This malware had been in use for nearly 20 years.
- Volt Typhoon: A marketing campaign concentrating on important infrastructure organizations within the United States was attributed to Volt Typhoon, a state-sponsored actor primarily based in China. Their focus lay on espionage and knowledge gathering.
- Storm-0558: This extremely subtle intrusion marketing campaign, orchestrated by the Storm-0558 APT from China, infiltrated the e-mail accounts of roughly 25 organizations, together with authorities companies.
Ransomware’s relentless rise
Ransomware remained a prevalent and profitable menace all year long:
- Cuba and Snatch: Ransomware teams like Cuba and Snatch focused important infrastructure within the United States, inflicting concern for nationwide safety.
- ALPHV/BlackCat: Beyond search engine optimisation poisoning, this group compromised the pc techniques of Caesar and MGM casinos. They additionally resorted to submitting complaints with the US Securities and Exchange Commission (SEC) in opposition to their victims, making use of extra strain to pay ransoms.
- Exploiting new vulnerabilities: Cybercriminals wasted no time exploiting newly found vulnerabilities, resembling CVE-2023-22518 in Atlassian’s Confluence, CVE-2023-4966 (Citrix bleed), and others. These vulnerabilities grew to become gateways for ransomware assaults.
- Evolving ransomware households: New ransomware variants like Trash Panda emerged whereas current households tailored to focus on Linux and ESXi servers, additional increasing their attain.
Notable blogs of the yr
1. BlackGuard: Elevating Malware-as-a-Service
One of the yr’s standout tales was the evolution of BlackGuard, a formidable Malware-as-a-Service (MaaS) supplied in underground boards and Telegram channels. This insidious instrument underwent a big improve, amplifying its capabilities. Already recognized for its capacity to pilfer delicate information from browsers, video games, chats, and cryptocurrencies, the brand new BlackGuard variant upped the ante.
BlackGuard improved its Anti-Reversing and Sandboxing capabilities, making it much more elusive to safety specialists. Moreover, it might now tamper with cryptocurrency wallets copied to the clipboard. This enhancement poses a extreme menace to cryptocurrency lovers and buyers. Additionally, BlackGuard included superior Loader capabilities, enabling it to propagate via shared or detachable units and masks its communications through private and non-private proxies or the nameless Tor community.
2. SeroXen: A RAT’s speedy ascent and fall
In a coincidence, 2023 witnessed the meteoric rise and fall of SeroXen, a brand new variant of the Quasar Remote Access Trojan (RAT). This modified department of the open-source RAT added vital modifications to its unique framework, enhancing its capabilities.
SeroXen achieved fast notoriety, with lots of of samples recognized inside the first few months of the yr. However, shortly after the weblog highlighting its emergence was revealed, the SeroXen web site introduced its shutdown and carried out a kill-switch, rendering contaminated PCs ineffective to malicious actors. It was a uncommon occasion the place the publication of analysis inadvertently led to the downfall of a malware instrument.
3. AdLoad: Mac techniques became proxy servers
AT&T Cybersecurity Alien Labs uncovered a malicious malware marketing campaign involving AdLoad. This malware ingeniously reworked customers’ Mac techniques into proxy servers, then bought to 3rd events, together with some with illicit functions. The menace actor behind AdLoad contaminated goal techniques surreptitiously put in a proxy software within the background.
These contaminated techniques have been subsequently supplied to proxy firms, portraying themselves as legit entities. Buyers exploited the advantages of those residential proxy botnets, having fun with anonymity, huge geographical availability, and excessive IP rotation for conducting nefarious actions, together with SPAM campaigns.
4. AsyncRAT: The persistent phishing menace
Throughout 2023, cybersecurity specialists noticed a steady inflow of phishing emails utilizing superior strategies. These emails enticed victims to obtain a malicious JavaScript file, closely obfuscated and armed with anti-sandboxing measures to evade detection. These assaults aimed to execute an AsyncRAT consumer on the compromised techniques, granting attackers full distant entry.
About us
AT&T Alien Labs is the menace intelligence unit of AT&T Cybersecurity. We assist gasoline our cybersecurity consulting and managed safety companies with essentially the most up-to-date menace intelligence data. We work with the Open Threat Exchange (OTX) to offer actionable and community-powered menace information. Watch the AT&T Cybersecurity weblog for extra observations and analysis from the Alien Labs staff.