Chapters
Shownotes Transcript
Hello, this is Katalin Gambano and this is another Risk Business News sponsored interview. Today we have Proofpoint Senior Threat Intelligence Analyst, Selena Larsson. Welcome, Selena. Hello, hello.
Today, I want to talk about the malware ecosystem and specifically I want to touch on the main players on the market. There's been a period over almost half a decade when the entire malware ecosystem was just coagulating around a handful of services like, for example, Amatet and Trickpot for malware delivery, Revel, Blackbit, as recently, Sockgalish, or however you say that, or the Genesis Market for the credential market.
Now, we've seen lots of disruptions. The market, there's been some sort of upheaval. Major services went down. New ones appeared. Older ones tried to make a comeback but didn't really work out for them.
We also had Microsoft taking some steps to disrupt common malware delivery, like disabling VBA macros in Office and Excel add-ins, which also added to this major disruption on the market. Does the malware as a service scene still have the top dogs like it used to have in the past? Are threat actors still going to do free for major providers as they used to in the past? Or is the market more fragmented now?
It's definitely more fragmented now. So we have really come to a transition period within the last year and a half where threat actors have changed the way that they are sourcing malware, using malware, delivering malware. I think you mentioned the Microsoft disruption having a large impact on the landscape. That is absolutely true, especially if you look at email threat actors, which is where my main focus is.
You have threat actors who used to have this easy button, one click, enable macros for malware installation. And now you have them having to be really creative, developing new and unique attack chains weekly in many cases. And then what that means for defenders is we're constantly having to figure out new detections, new ways to block these actors, figure out what they're doing to potentially stop them.
What I think is really interesting, though, is if we're looking at the malware, you mentioned Emotech, Trickbot, stuff like that. Qbot, I think, was a gigantic player in the malware ecosystem prior to its disruption. And what we saw was after the Qbot disruption back in August 2023, law enforcement mentioned they removed Qbot from over 700,000 computers. So it was a pretty massive disruption.
malware. But you saw the actors that used Cubot a lot, for example, TA577, TA570, they had to figure out what do I do next? And
TA577, I think, is an interesting example of the sort of fragmented malware threat actor ecosystem because when they came back later on in the year around the October timeframe, they started using DarkGate. And DarkGate is an example of a malware as a service that was used by a variety of different threat actors around.
But what I think is really interesting about Darkgate is it almost flew too close to the sun because it exploded in October and you saw a lot of different threat actors and unattributed threat clusters using Darkgate in their campaigns. And then it kind of fell off. Like the actor had to sort of like restrict sales to a small number of people. There was like so much attention focused on Darkgate. It's like, oh, is Darkgate the next QBOT?
But you as a threat actor or a malware developer don't want to be the next Qbot because you're going to have all eyes on you, right? So we've seen that fall off a lot. There's still some use of it for sure, but it's just not as big as it was in the fall of 2023.
So TFS77, okay, what else are they doing? They experimented briefly, for example, with Latrodectus, which is another malware that kind of came on the scene to overtake ICED-ID, which your listeners might be familiar with is another initial access broker malware loader that was very, very popular back then.
What did happen to Ice ID, by the way? Because I've noticed that there's not that much talk about it. Yeah, that's a great question. So it actually kind of got a little bit replaced by Latrodectus, which is this new malware that kind of came on the scene that was used by a lot of the same actors that had been using Ice ID.
It is a question. We're still kind of wondering if Iced ID is going to come back, what happened to it, what its developers are doing. But we see this as LatraTectus kind of being the replacement. You also have, for example, Wikiloader is another loader that kind of came on the scene fairly recently used by some initial access brokers.
And then, of course, you have Peekabot, which is a beloved favorite of TA-577. So you have kind of this sort of fractured landscape, a lot of different types of malware that can be used for initial access by the actors that are what we would consider initial access brokers, kind of the big kahunas of cybercrime initial access. And then, of course, if you're looking at the ransomware threat landscape, that has also fractured. Certainly, the Conti leak's
played a major part in that kind of, you know, splintering the Conti group itself that kind of reformed in these other sort of ransomware, ransomware as a service types of functions. And so even if you look sort of further downstream, okay, after the loader or the rats, what happens next? You have an even further splintering of some of these groups and a little bit kind of playing whack-a-mole, I think.
for some of them. I mentioned some of Microsoft moves against malware delivery methods. Did you notice any threat actors that appeared out of nowhere built around ways to deliver malware in a new way? So we haven't necessarily seen new threat actors pop up as a response to this. It's more sort of been a shift in what we've seen from our typical threat actors to
Or, you know, the landscape in general, trying to find new methods of delivery. And I wouldn't say they've, in most cases, haven't pivoted away from using email delivery. But we have seen sort of an expansion, right? So you have things, for example, Microsoft Teams delivery, right? Chat app.
things like various third-party messaging apps and services are becoming more popular methods of delivery. We've also seen an increase in fake updates. I mean, who would have thought? Like 2024, fake updates becoming super popular. And it used to kind of just be sock-golish as the sort of big kahuna of fake updates. But now we have a lot of different threat actor clusters that are delivering these web injects leading to various remote access Trojans. And
And it's using similar TTPs of, hey, your browser's out of date. But instead of, oh, this is definitely leading to Sockgolish. I know what this is. They use various different types of web injects, both JavaScript and other types of web injects that deliver everything from, you know, we're still seeing Sockgolish, but we also have this rogue raticate cluster. You have like delivery of the net support rat, various other types of malware being delivered as well. And so that has kind of popped up as a more,
popular method of delivery. Certainly, we've seen like SEO poisoning, malicious advertising, malvertising campaigns that are delivering some of the same types of payloads that you might see in email delivery. And one thing I haven't mentioned yet is the sort of re-emergence of info stealers as something that threat actors are really interested in, especially in terms of thinking about this malware as a service type of
economy. You have Rhydomanthus is a really good example of this. It's a fairly new information stealer malware that operates as malware as a service and we've seen used by a variety of different threat actors. You have Xloader, which is just rebranded Formbook. It's another popular one. VDAR, Stealer, Redline. So you have sort of a
reemergence or an increase in popularity of information stealer malware that is being operated by a number of different cybercrime operations, not just in email, but also in some of these other types of initial access or delivery that we see.
Do you have any idea why? Is it because they can commercialize the stolen credentials better? That's a good question. I'm not necessarily sure what the sort of impetus is, but we do see the potential ease of use or ease of access for these types of information stealers, malware as a service, as being a possibility. But I don't have a good answer for why it's becoming more popular. Don't all these malware loaders have modules for collecting credentials?
For example, you would be one of those pick-up-out clients. You probably can collect credentials. Like you don't need another payload as an info stealer, right? Yeah, yeah. I mean, so it's kind of the objective, right? And I think one thing too that a lot of these information stealers have is the sort of focus on crypto wallets. So we didn't, you know, that's something that is...
I think fairly new and emerging in terms of more people buying into cryptocurrency. It's becoming more accessible. I think, you know, kind of going after crypto wallets is one possibility for the increase in information stealers and the focus on cryptocurrency. But yeah, it's pretty interesting that we see a sort of rise of information stealers and sort of
What that means for the landscape in general, being able to evolve or focus more on some of the a little bit more sort of low hanging fruit as opposed to ransomware. I don't know. You know, ransomware is definitely not going anywhere. So there is that. But yeah, just the sort of InfoStealer ecosystem and some of the capabilities that have been added. Oftentimes, InfoStealer might also have loader capabilities as well, but their main focus is stealing information.
Serena, you're talking about the ecosystem as a whole and ransomware. I want to ask if these super hackable networking devices that are basically everywhere these days, are they killing the need to run huge mail spam campaigns? No, but they are offering a new vector for access, for initial access operations, right? So if we're talking about the shift in defense, right? So going back to Microsoft's
Blocking things by default, if we're talking about incorporating or mandating MFA, which knocked out some of the sort of basic phishing, you have these points in time that necessitate a behavior shift by default.
various threat actors. And what that means is there's going to be more experimentation, investment in developing new tools and capabilities, and investigation of new potential resources or areas of avenue for initial access. So while email is still a very tried and true method, and we see even just within that space of initial access development, a lot of creativity, a lot of copying each other, a lot of people or a lot of threat actors kind of
jumping on various bandwagons at the same time, you also see sort of looking at this other avenue of initial access. So if we're talking about exploitable networking equipment, I mean,
2024 has just been really, really brutal for a lot of various companies and the CVEs that have been announced and very, very quickly exploited. But I mean, ideally, there's a very small window of exploitability. If you didn't develop a zero day for this vulnerable networking equipment, you have a small window of time by which you can actually operationalize that and make it useful. There are
Obviously, criminal organizations that are going to be focusing on that and developing tools and capabilities, but that has to be done very rapidly and quickly because you're going to lose access to that once those vulnerabilities are closed and the majority of organizations are going to be patched. Again, that is in an ideal situation, in an ideal world, I know that the longevity of vulnerabilities is based off organizations, patch cycles, and ability to do such things. But for the most part,
they're going to be a little bit more short-lived and so you're going to want to still invest in various other methods of initial access and this kind of goes a little bit into thinking about cyber crimes focus and development on potential zero days so you have cyber criminal organizations such as ransom reactors initial access brokers that have raked in millions of dollars for their crimes over the years which now means they have the money and
probably ability to sort of fund and focus on various other resource development. For example, like potentially finding and leveraging zero days. We saw that with the move at Oday, for example. But you have these sort of cybercrime operators leveraging zero days and investing in that and investing in tool and resource development. And you think about it, you know, all these actors are just businesses, right?
They are investing their time and money into what they think is going to be making them money. And so it's really interesting to kind of see that play out. Since you call them businesses, do you think statistical approach is what they're motivated with? Like, for example, you have email spam. It's just, you know, it has a low percentage, like 10% infection rate. And then you have a networking device, like you can hit a jackpot. Like all of a sudden you reached Apple. Yeah, you get it. It's like playing the roulette sometimes, right?
I think so. Yeah. I mean, yes. And also it probably comes down to what these threat actors are actually like familiar with working with and what they're actually going to be doing and using. And there's an ability difference between trying to weaponize a CVE in a networking device versus developing an initial access chain for email and social engineering and trying to get a user to click on and engage with some of your content.
And so one person might not be familiar with both of these things. So it also kind of comes down to how well... It's just separate crowds. Yeah. And how well resourced is this threat actor group that you're tracking? Or, you know, is someone just content to stay and completely operate in the email initial access space?
And if so, how are they going to be kind of changing up their TCPs? I think TA-577 is a really good example of this. I keep talking about them, but they're just like the most chaotic e-crime threat actor. I feel like part of it is just they're throwing spaghetti at a wall and be like, okay, what is going to stick here? Because I have like dozens of unique attack chains. I'd love to be in their Discord server. Yeah.
Yeah, like what are they doing? Because like a really good example of this is like, okay, well, they're doing all this initial access stuff. They typically deliver, you know, like Peekabot fairly recently. And then they're like, all of a sudden, they just like pivoted to NTLM credentials in one campaign.
And you're like, why are you doing this? What are you doing this for? And you see them using like a file scheme URI to access an external SMB resource. In the NTLM example, that was like an in-packet SMB server. But you've seen them kind of like iterate their attack teams before they got to that point. Like you see them kind of like making mistakes being like, oh, wait, this didn't really work. So we're going to try doing this instead.
And then you get the credentials, but like, okay, is this actually going to work? And what are they going to be doing with these credentials? And it's just kind of like real time iteration. Like they're like a startup and they're just like move fast and break things. Like, let's see what we can come up with. And so you kind of see that. I mean, that's like a very good example, very much like TA577 is like super focused and does a lot of this, but you see that with a lot of different threat actors, especially if we're talking about initial access brokers.
Some of the more sort of like low hanging fruit or commodity malware delivery type of threat actors are
They're not iterating the same way. They're still using a sort of basic compressed executable to try and deliver malware or old, out-of-date, exploitable vulnerabilities in Microsoft Office from like 2017, right? So you have kind of like a range of factors. And those on the sort of like less sophisticated scale aren't really changing. They're kind of still maintaining their same vibes. Since you're talking about...
the chaos around TA577. From a defender's perspective, would you prefer a big, sophisticated threat actor like Amotet and Trickbot that just funnels everything for the same IOCs and TTPs? Or do you prefer something like the smaller, less sophisticated threat actors? I have to say, if I'm thinking about work-life balance, I prefer the less sophisticated actors because it's a lot easier to track people
And because it really did go from like, okay, we can track these actors, um, emo type. We have all of their, you know, macro enabled documents. So we see what they're doing, um,
This is easy. You know, we don't have to literally every day be developing new detections around stuff that these sort of high value, very important threat actors are coming up with. And this actually kind of is interesting, too, because I talked about this with Pim Truerbach on my podcast also about how
the actual malware that these threat actors are using for example like peekabot or latrodectus or wikiloader are not actually like technically sophisticated or interesting like where the sort of interesting technical sophistication really comes in is the delivery and the initial access and they're sort of changing techniques but the malware itself is like kind of boring and
And like, it's kind of whatever. And it doesn't take very much to RE to grab the config. Like there's a lot of, you know, sort of evasion stuff that's going on. But from the actual technical perspective, the malware is just like kind of boring. But the actual delivery is being changed up a lot. A lot of creativity and interesting stuff going on. But I think from a sort of like researcher is this fun perspective, it's probably a lot more fun tracking and looking at
the new methods and new techniques from those actors and developing the detections for them. I joked with my colleague recently, I was like, can you please stop making me read obscure Microsoft documentation about like things I didn't even know existed because a threat actor is like all of a sudden using them in three campaigns and the next week they're going to switch to something else. So it's easier to stay on top of those sort of commodity strategies.
That was our interview with Selena Larson, Senior Threat Intelligence Analyst at Proofpoint.
Selena also co-hosts a podcast for Proofpoint named Discarded, where she interviews Proofpoint researchers about their latest work and pre-reacted activity. It's one of our favorite InfoSec podcasts out right now. You can find Discarded by searching for it in your favorite podcast app. Thank you for listening.
