In the ever-evolving cybersecurity landscape, 2023 witnessed a dramatic surge in the sophistication of cyber threats and malware. AT&T Cybersecurity Alien Labs reviewed the big events of 2023 and how malware morphed this year to try new ways to breach and wreak havoc.
This year's events kept cybersecurity experts on their toes, from expanding malware variants to introducing new threat actors and attack techniques. Here are some of the most compelling developments, highlighting malware's evolving capabilities and the challenges defenders face.
Highlights of the year: Emerging trends and notable incidents
As the year unfolded, several trends and incidents left an indelible mark on the cybersecurity landscape:
Exploiting OneNote for malicious payloads
Cybercriminals leveraged Microsoft OneNote to deliver many malicious payloads to victims, including Redline, AgentTesla, Quasar RAT, and others. This previously underutilized Office program became a favored tool due to its low suspicion and widespread usage.
SEO poisoning and Google Ads
Malicious actors resorted to SEO poisoning tactics, deploying phishing links through Google Ads to deceive unsuspecting victims. These links led to cloned, benign web pages, avoiding Google's detection and remaining active for extended periods. Prominent malware families, including Raccoon Stealer and IcedID, capitalized on this strategy.
Exploiting geopolitical events
Cybercriminals exploited the geopolitical climate, particularly the Middle East conflict, as a lure for their attacks. This trend mirrored the previous year's Ukraine-related phishing campaigns and crypto scams.
APTs: State-sponsored espionage continues to present challenges
Advanced Persistent Threats (APTs) continued to pose a significant threat in 2023:
- Snake: CISA reported on the Snake APT, an advanced cyber-espionage tool associated with the Russian Federal Security Service (FSB). This malware had been in use for nearly two decades.
- Volt Typhoon: A campaign targeting critical infrastructure organizations in the United States was attributed to Volt Typhoon, a state-sponsored actor based in China. Their focus lay on espionage and information gathering.
- Storm-0558: This highly sophisticated intrusion campaign, orchestrated by the Storm-0558 APT from China, infiltrated the email accounts of approximately 25 organizations, including government agencies.
Ransomware's relentless rise
Ransomware remained a prevalent and lucrative threat throughout the year:
- Cuba and Snatch: Ransomware groups like Cuba and Snatch targeted critical infrastructure in the United States, causing concern for national security.
- ALPHV/BlackCat: Beyond SEO poisoning, this group compromised the computer systems of Caesar and MGM casinos. They also resorted to filing complaints with the US Securities and Exchange Commission (SEC) against their victims, applying additional pressure to pay ransoms.
- Exploiting new vulnerabilities: Cybercriminals wasted no time exploiting newly discovered vulnerabilities, such as CVE-2023-22518 in Atlassian's Confluence, CVE-2023-4966 (Citrix bleed), and others. These vulnerabilities became gateways for ransomware attacks.
- Evolving ransomware families: New ransomware variants like Trash Panda emerged while existing families adapted to target Linux and ESXi servers, further expanding their reach.
Notable blogs of the year
1. BlackGuard: Elevating Malware-as-a-Service
One of the year's standout stories was the evolution of BlackGuard, a formidable Malware-as-a-Service (MaaS) offered in underground forums and Telegram channels. This insidious tool underwent a significant upgrade, amplifying its capabilities. Already known for its ability to pilfer sensitive data from browsers, games, chats, and cryptocurrencies, the new BlackGuard variant upped the ante.
BlackGuard improved its Anti-Reversing and Sandboxing capabilities, making it even more elusive to security experts. Moreover, it could now tamper with cryptocurrency wallets copied to the clipboard. This enhancement posed a severe threat to cryptocurrency enthusiasts and investors. Additionally, BlackGuard incorporated advanced Loader capabilities, enabling it to propagate through shared or removable devices and mask its communications via public and private proxies or the anonymous Tor network.
2. SeroXen: A RAT's rapid ascent and fall
In a twist of fate, 2023 witnessed the meteoric rise and fall of SeroXen, a new variant of the Quasar Remote Access Trojan (RAT). This modified branch of the open-source RAT added significant modifications to its original framework, enhancing its capabilities.
SeroXen achieved quick notoriety, with hundreds of samples identified within the first few months of the year. However, shortly after the blog highlighting its emergence was published, the SeroXen website announced its shutdown and implemented a kill-switch, rendering infected PCs useless to malicious actors. It was a rare instance where the publication of research inadvertently led to the downfall of a malware tool.
3. AdLoad: Mac systems turned into proxy servers
AT&T Cybersecurity Alien Labs uncovered a devious malware campaign involving AdLoad. This malware ingeniously transformed users' Mac systems into proxy servers, then sold to third parties, including some with illicit purposes. The threat actor behind AdLoad infected target systems surreptitiously installed a proxy application in the background.
These infected systems were subsequently offered to proxy companies, portraying themselves as legitimate entities. Buyers exploited the benefits of these residential proxy botnets, enjoying anonymity, wide geographical availability, and high IP rotation for conducting nefarious activities, including SPAM campaigns.
Following the publication of the research blog, a similar campaign targeting Windows systems emerged. The modus operandi mirrored that of the Mac version but was tailored for Windows OS, significantly expanding the potential target pool and the impact of the proxy network.
4. AsyncRAT: The persistent phishing threat
Throughout 2023, cybersecurity experts observed a continuous influx of phishing emails using advanced techniques. These emails enticed victims to download a malicious JavaScript file, heavily obfuscated and armed with anti-sandboxing measures to evade detection. These attacks aimed to execute an AsyncRAT client on the compromised systems, granting attackers full remote access.
About us
AT&T Alien Labs is the threat intelligence unit of AT&T Cybersecurity. We help fuel our cybersecurity consulting and managed security services with the most up-to-date threat intelligence information. We work with the Open Threat Exchange (OTX) to provide actionable and community-powered threat data. Watch the AT&T Cybersecurity blog for more observations and research from the Alien Labs team.
Article Link: The dark side of 2023 Cybersecurity: Malware evolution and Cyber threats