FOCUS MODE
EXTRACT IOC
Threat Research

2024 Malicious Infrastructure Report

RecordedFuture
2024 Malicious Infrastructure Report
In 2024, Insikt Group expanded its monitoring of malicious infrastructure, particularly focusing on malware families and infrastructure types. Key trends included the rise of malware-as-a-service infostealers, with significant activity from LummaC2, and persistent targeting of Android for mobile malware. State-sponsored groups from China and Russia adapted their tactics, leveraging legitimate internet services to enhance cybercrime efforts. Strengthening security controls using insights from this report is emphasized for affected organizations. Affected: malware families, infrastructure types, global cybercrime landscape

Keypoints :

  • Insikt Group broadened its tracking capabilities, adding more malware families and integrating diverse data sources.
  • MaaS infostealers, particularly LummaC2, gained prevalence, spurred by law enforcement actions against competitors.
  • Android remained a primary target for mobile malware, with Hook leading among threats.
  • Cobalt Strike continued to dominate offensive security tools, with significant usage of Metasploit and rising detections of Sliver.
  • The US, Brazil, and China were identified as major locations for cybercrime victims.
  • Latrodectus was dominant among droppers and loaders, while traffic distribution systems like TAG-124 increased cybercrime efficiency.
  • State-sponsored groups from China and Russia adapted their techniques to evade detection using legitimate services.
  • Law enforcement may enhance efficiency through improved international collaboration.

MITRE Techniques :

  • TA0036 – Command and Control: Used through Cobalt Strike and other malware with significant command-and-control (C2) infrastructures.
  • TA0001 – Initial Access: Various malware like AsyncRAT and Quasar RAT serve as an initial entry point.
  • TA0040 – Discovery: Leveraged by actors to gather information about victim networks, using tools like AsyncRAT.
  • TA0037 – Execution: Executed payloads through remote access tools and droppers like Latrodectus.
  • TA0007 – Persistence: Employed by various malware families to maintain long-term access to infected networks.

Indicator of Compromise :

  • [Domain] lummaC2.com
  • [Domain] asyncRAT.com
  • [Domain] quasarRAT.com
  • [Email] info@lummaC2.com
  • [IP Address] 192.0.2.0

Full Story: https://www.recordedfuture.com/research/2024-malicious-infrastructure-report

Tags: ANDROID, PERSISTENCE, INITIAL ACCESS, BOTNET, MOBILE, DISCOVERY, PROXY, INDONESIA