Takedown of malware infrastructure by law enforcement has proven to have an impact, albeit limited, on cybercriminal activity, according to threat intelligence provider Recorded Future.
The Emotet takedown, led by Europol and Eurojust in 2021.
The March 2023 attempt to take down unlicensed versions of commercial red-teaming product Cobalt Strike, a joint project between Microsoft, the Health Information Sharing and Analysis Center, and Fortra, the software company that owns Cobalt Strike.
In the cases of Cobalt Strike and QakBot, law enforcement operations had a significant impact in the short term and malicious activity linked with the two tools dropped drastically in the month following the operation.
Malicious activity linked with both tools quickly started growing again according to Recorded Future's observations.
The use of 'cracked' versions of Cobalt Strike returned to previous levels after one month after criminals using the software affected by the takedown effort could simply set up new infrastructure after the initial takedown occurred.
The resurgence of QakBot has been limited and criminals had to find new ways of exploiting the malware, such as returning to older versions or crafting updated versions.
As for Emotet, Recorded Future observed that the malware disappeared and returned multiple times between the initial takedown action in 2021 and 2023.
Emotet operations post-takedown were also affected by Microsoft disabling VBA macros in documents in July 2022, these macros were a primary initial access vector for Emotet.
In May 2023, the Emotet operations tracked by Recorded Future disappeared.
These operations resurfaced briefly a few weeks later before another lengthy and possibly final disappearance.
Emotet activity has not shown signs of resurgence at the time of writing.
They also insisted that, on a strategic level, cybercriminals who are not taken into custody can easily move on to using other intrusion tools and techniques.
Takedowns cannot be viewed as a singular solution for cybercrime and malware operations, they concluded.
Law enforcement agencies should continue infrastructure takedowns on a regular basis, while exploring other options to make cybercriminals' work more difficult.
Recorded Future observed that cybercriminals were increasingly developing new ways to work undetected.
Recorded Future detected 36,022 malicious servers in 2023, representing over twice as many as in 2022 in which 17,233 malicious servers were identified.
Cobalt Strike was the top offensive security tool used by cybercriminals, despite its partial takedown, and QakBot and Emotet ranked among the top four botnets used for nefarious motives.
The report also ranked the 20 most used remote access Trojans, with a top five made of two open-source tools, AsyncRAT and Quasar RAT, and of three well-established tools, PlugX, ShadowPad, and DarkComet.
Finally, Recorded Future noticed that, while many infostealers have been used by cybercriminals over the past year, RedLine Stealer and Raccoon Stealer have clearly been dominating the scene.
This Cyber News was published on www.infosecurity-magazine.com. Publication date: Wed, 10 Jan 2024 15:00:23 +0000