Chris Swagler | February 28th, 2023

The threat landscape is extremely diversified, with attacks ranging in sophistication from simple scams to nation-state-level cyber espionage. However, companies must prioritize their defenses against the most common threats that can affect them and their employees. A recently released a cybersecurity report identified five threats that were considered models for some of the most frequent malware families observed in 2022:

Protecting companies for the rest of 2023 requires one important understanding: the deadliest cyber threats companies will encounter aren’t the oddest, most complex, or the most eye-catching attacks they’ll witness and they’re not even the most prevalent. The most dangerous threats stem from a series of known, mature tools and tactics on which an entire ecosystem of cybercriminals relies to make billions of dollars each year.

LockBit, A Leader in Ransomware

The ransomware threat landscape changed dramatically last year, with very successful groups, including Conti, shutting down their operations and numerous smaller groups quickly filling the void. LockBit, a ransomware-as-a-service (RaaS) operation, swiftly developed and recruited a significant number of affiliates, the mercenaries of the cybercrime underground. Lone threat operators or groups of specialized individuals handle the initial access and lateral movement parts of an intrusion before deploying the ransomware program with affiliates receiving a major portion of the ransom paid by victims. The ransomware creators provide the software, and the back-end infrastructure and conduct the negotiations with victims.

LockBit has been around since 2019 and not consider a new threat because it was originally under the name ABCD. LockBit was overshadowed by larger and more prolific groups, including Maze, Ryuk, and Conti, and attracted most of the threat operator talent. LockBit began making changes in 2021 when they introduced LockBit 2.0, but the operation really took off they launched LockBit 3.0 and reworked the entire affiliate program making it more attractive to affiliates looking for work in the aftermath of Conti’s downfall. LockBit put enormous effort into advertising itself to affiliates, maintaining a slick dark website, engaging in PR stunts, and paying bounties for discovering flaws in its software.

The group claims to have 100 affiliates ensuring that if one is caught, the operation is not disrupted. Last year, LockBit was the most prolific ransomware operation, with 3.5 times the number of victims than the next most active ransomware, ALPHV. In 2022, LockBit was involved in one in every three ransomware incidents demanding a $50 million ransom. The affiliates targeted all business types ranging from small law firms to large multinational corporations, and utilize various tactics to obtain initial access, including abusing weak remote access credentials (RDP and VPN), exploiting vulnerabilities in public-facing systems, and phishing emails with malicious attachments. The group destroys backups and employs lateral movement techniques to gain administrator access to the domain once inside.

The Pernicious Botnet, Emotet

Emotet, a botnet serving as a delivery platform for other malware families, including some of the most prolific ransomware and Trojan programs in recent years, is another major player in the cybercrime underground. Emotet has undergone numerous revisions since its appearance in 2014, beginning as a banking Trojan, a malware designed to steal online banking credentials. When this cybercrime became less popular, the botnet’s owners shifted their focus to malware distribution. Emotet’s modular architecture makes it highly adaptable and easily customized for different tasks. Emotet was previously called the world’s most deadly malware. Law enforcement agencies from the United States, the United Kingdom, Canada, Germany, and the Netherlands successfully took over the botnet’s command and control infrastructure in 2021. However, the takedown attempt was short-lived and Emotet was quickly rebuilt, demonstrating its resiliency.

After a brief hiatus, the botnet resurfaced in November 2022 with a new iteration, delivering thousands of malicious emails every day. Emotet’s creators specialize in spam lures, including thread hijacking and language localization, using email as the major delivery tool. The most recent spam campaign sent archives with Excel files containing malicious macros. Post-deployment Emotet will inject more malware into systems and be used to install another botnet closely associated with the Ryuk ransomware, TrickBot. The botnet was detected dropping the XMRig crypto miner and the IcedID Trojan, which is associated with other malware families in recent campaigns.

Emotet can take contacts from Outlook accounts installed on computers and use them to send further spam emails and attempt to breach network shares’ passwords. Because Emotet infects and reinfects other machines viciously, eradicating it from companies can be a very difficult and costly task. A single wrong click in Allentown, Pennsylvania caused an outbreak that cost $1 million to remediate. Emotet is a paradigm for botnets that operate as malware delivery platforms and are one of the initial access providers into companies’ networks, just as LockBit is an archetype for modern ransomware programs.

Drive-By Downloads Still Here with SocGholish

Drive-by downloads are malware threats that are distributed through websites rather than email. It was a popular tactic during the days of browser plug-ins, including Java, Flash Player, and Adobe Reader, because threat operators can exploit vulnerabilities in plug-ins’ updated versions. However, the strategy is still being used, even though it requires user interaction and social engineering. SocGholish is a remote access Trojan (RAT) being used as a malware loader and it’s often delivered by malicious ads or fake pop-ups announcing vital browser updates shown on infected websites. When users accept the rogue browser update, they normally receive a ZIP archive containing a JavaScript file. If the file is executed, it will conduct reconnaissance on the machine and network before deploying another malware threat, most likely ransomware. SocGholish is a simple Trojan that utilizes a combination of social engineering and target fingerprinting to effectively compromise high-profile companies and critical infrastructure. Its ultimate objective is delivering ransomware and it’s a threat to be taken seriously.

Android Droppers

With mobile devices accounting for a huge percentage of companies’ fleet of devices, Android threats shouldn’t be overlooked. Android droppers are Trojan programs disguised as legitimate applications or free versions of paid apps and distributed through third-party app stores and numerous websites users may visit. The droppers aren’t easily installed on Windows since users must change the default security settings and ignore warnings, however, malicious apps have been spotted on the Official Google Play store. Other threats including, hidden ads, banking Trojans, and apps that steal passwords and emails, record audio, and capture photographs, can be delivered using the droppers. The droppers accounted for 14% of Android detections in 2022 and even though other malware is more prevalent, droppers are the biggest threat to companies.

Adware: Most Prevalent Threat on Macs

The macOS malware system is substantially smaller than Windows, however, a threat still exists. Adware, applications used to inject unwanted ads, is one of the most prevalent types. Genio is one of the oldest apps on macOS, and it’s used to hijack browser searches. Most macOS adware and malware, like Android droppers, are spread as fake applications or updates. Genio used to disguise itself as Flash Player updates or video codecs, however, it now masquerades as PDF reading or video converter apps. Genio can be difficult to remove once installed due to its aggressive hiding behavior. It employs code obfuscation to simulate system files and files belonging to other applications. It injects libraries into other processes, exploiting systems flaws to grant itself permissions, installing browser extensions with the users’ knowledge, and manipulating users’ password keychains. Even though it’s classified as adware, Genio has deployed various malware-like behaviors to dig deeper into computers it’s installed on, penetrating defenses and breaching security to make itself very difficult to remove. Researchers explained that last year, the threat has accounted for one in ten threat detections on macOS.

With these cyber threats impacting companies in 2022, it’s important for businesses to study and prepare for these threats in 2023 so they can protect their networks, assets, and employees. Additionally, companies should always remain vigilant of the latest threat landscape. At SpearTip, our certified engineers are continuously working at our 24/7/365 Security Operations Center monitoring companies’ data networks for potential cyber threats. Our remediation experts focus to restore companies’ operations, reclaiming their networks by isolating malware and recovering business-critical assets.

Our ShadowSpear Platform, an integrable managed detection and response tool, uses comprehensive insights through unparalleled data normalization and visualizations to detect sophisticated unknown and advanced cyber threats. ShadowSpear also has advanced detection engines powered by artificial intelligence (AI) and attack tactics, techniques, and procedures (TTP) models to detect malicious activities.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.