The PolySwarm Blog

Executive Summary

This threat bulletin features PolySwarm’s top malware to watch in 2023, as chosen by our analysts.

Key Takeaways

• Our top malware families to watch in 2023 include ALPHV/BlackCat, LockBit, Royal, Dridex, Godfather, Black Basta, RedLine Stealer, Raspberry Robin, SmokeLoader, BlackMatter, Emotet, and IcedID. 
• Our analysts have provided a description of each of these malware families and their reason for inclusion. 

Top Malware to Watch in 2023

PolySwarm analysts chose the following malware families as our top malware to watch in 2023:

ALPHV/BlackCat
BlackCat, also known as ALPHV and Noberus, was first observed in late 2021. BlackCat is a RaaS that includes a highly-customizable feature set, allowing attacks on a wide range of targets. BlackCat is written in Rust, a language seldom used by ransomware developers, and can infect both Windows and Linux machines. The ransomware has been promoted on Russian language hacking forums. BlackCat attacks have occurred in the US, Europe, the Philippines, and other regions. Verticals targeted include construction and engineering, retail, transportation, commercial services, insurance, machinery, professional services, telecommunication, auto components, and pharmaceuticals. The threat actors behind BlackCat have been effective in marketing to their affiliates, and affiliates receive a generous share of ransom payments. Since BlackCat is written in Rust, developers can easily change the code to pivot and individualize attacks. We expect BlackCat to continue to expand its operations in 2023 due to its versatility and profitable affiliate model.

LockBit
LockBit was first observed in the wild in 2019. In 2022, Lockbit released an updated version of their ransomware, Lockbit 3.0, also known as LockbitBlack. Lockbit has evolved, with new features added since version 2.0. The new version has multiple updates, including a new extortion method. Previously, Lockbit victims were given a specific time period in which to pay the ransom. In version 3.0, Lockbit gives victims the option to pay a fee to delay the ransom deadline, destroy all data, or download all data. LockBit also started its own bug bounty program in 2022. Bug bounty programs typically reward security researchers for discovering and reporting vulnerabilities. Lockbit 3.0 has taken a different approach, offering rewards for finding vulnerabilities, doxxing managers, and submitting “brilliant ideas” to be used for RaaS. LockBit seems to be evolving its capabilities to keep up with changes in the RaaS economy, in some cases staying ahead of the curve with innovative ideas. We expect LockBit operations to continue to evolve in 2023.

Royal
Royal ransomware was first seen in the wild in early 2022, and the threat actors behind Royal are known to use double extortion tactics. Royal is a 64-bit executable written in C++ that targets Windows systems. In November, Royal overtook LockBit as the most prevalent ransomware. In December, industry researchers linked Royal to the Conti group. Royal ransomware was involved in multiple attacks in the past month. In December, HHS warned of attacks using Royal to target healthcare entities in the US. In late December, the threat actors behind Royal claimed attacks on a PBS station in Iowa and Intrado, a telecommunications provider. Royal was recently used in an attack on the Queensland University of Technology, one of the largest universities in Australia. Based on its track record thus far, our analysts expect Royal to gain momentum, becoming more prolific in Q1 2023.

Dridex
Dridex, also known as Cridex and Bugat, is a banking trojan active since at least 2012. It is the successor of Gameover Zeus. The threat actor group known as Evil Corp is responsible for Dridex. Previous Dridex variants were tailored to Windows devices. However, industry researchers recently reported on a variant of Dridex targeting MacOS. This shows Dridex is constantly evolving and still under active development. Our analysts expect Dridex infections to continue in 2023, targeting both Windows and Mac systems.

Godfather
Godfather is an Android banking trojan that has targeted over 400 financial applications, including cryptocurrency wallets, banking applications, and crypto exchanges. It is operated as malware as a service model. It was observed in the wild as early as 2021. Godfather uses a custom encryption scheme to evade detection. Godfather uses convincing overlays to mimic over 400 applications, allowing threat actors to steal login credentials for financial services, crypto wallets, and other applications. In a recent campaign, Godfather was observed masquerading as the MYT Muzik application, which is targeted toward Turkish-speaking users. The app was available on the Google Play Store. Based on the number of known apps affected by Godfather, we assess it is possible additional apps have been impersonated by Godfather. We expect Godfather to expand its reach within the Android threat landscape in 2023.

Black Basta
Black Basta ransomware was first identified in April 2022. Based on compile dates, the ransomware may have been active as early as February 2022. Both Windows and Linux variants exist. The group’s first known activity was in mid-April when a user named BlackBasta posted on underground forums XSS[.]IS and EXPLOIT[.]IN. Their post, written in Russian language, stated their intent to buy and monetize corporate network access, promising affiliates a share of the profit. The user sought access to organizations in the US, Canada, the UK, Australia, and New Zealand. So far, the threat actors behind Black Basta have targeted multiple verticals, including manufacturing, construction, transportation, telecommunications, pharmaceuticals, cosmetics, plumbing and heating, automotive, clothing, and others. In late 2022, the Black Basta ransomware gang was observed targeting US companies. The group was leveraging QakBot to gain a foothold and move laterally across victim networks. This activity was first observed in mid-November. Black Basta typically uses a double extortion model, launching a ransomware attack and stealing sensitive data from a victim, threatening to sell or release it if the victim does not pay the ransom. Black Basta was one of the most active RaaS in 2022, and our analysts expect Black Basta activity to continue into 2023.

RedLine Stealer
RedLine Stealer, written in C#, is a stealer malware advertised on underground forums. It has been in the wild since 2020 and harvests various types of information, including saved credentials, autocomplete data, cryptocurrency, and credit card information. It also takes a system inventory of the victim’s machine, gathering information on the username, location data, hardware configuration, and installed security software. RedLine Stealer can also upload and download files, execute commands, and send information about the infected computer to the C2. RedLine Stealer uses the WCF (Windows Communication Foundation) framework for C2 communication. Industry researchers noted the majority of identity data sold on the underground in 2022 was harvested using RedLine. Due to its versatility and effectiveness, we assess threat actors likely to continue using RedLine Stealer and credentials harvested using RedLine in 2023.

Raspberry Robin
Raspberry Robin is a worm associated with LNK Worm. It spreads over USB devices or shared folders, taking advantage of QNAP devices as stagers. It leverages LNK files, file archives, USB devices, and ISO files to infect victims. In late 2022, Raspberry Robin was observed targeting telecommunications and government entities. It was also observed selling initial access to compromised networks to ransomware gangs and other malware operators. A new Raspberry Robin variant with additional functionality was recently observed targeting financial institutions in Spanish and Portuguese-speaking countries. The new Raspberry Robin variant’s downloader uses additional layers of obfuscation for anti-analysis purposes. Recent activity seems to indicate Raspberry Robin is still actively under development and is expanding the scope of its operations. Our analysts assess it as another family to watch closely in 2023.

SmokeLoader
Some of the most commonly used malware families can wreak havoc, but without a delivery mechanism, they can do nothing. Enter SmokeLoader, a backdoor malware used to deliver other malware. SmokeLoader is often inserted into another application or malware and downloads additional payloads. It has been active since around 2011, with updated variants released over the years to keep up with ever-changing technology. SmokeLoader is often distributed via phishing emails, exploit kits, and trojanized applications. It is known to drop infostealers, banking trojans, backdoors, ransomware, crypto miners, point-of-sale malware, and other malicious software. In 2022, SmokeLoader was used to drop Azov ransomware, a wiper disguised as ransomware. Our analysts saw a high volume of SmokeLoader samples in 2022, and we expect threat actors to continue to use it to deliver various types of malware in 2023.

BlackMatter
BlackMatter is not quite dead yet. BlackMatter ransomware, written in C++,  encrypts files on a victim machine and demands a ransom for decrypting them. It is often distributed via a malicious attachment delivered in a spam or phishing email and is seen as an EXE or DLL when infecting Windows machines. A version targeting Linux machines also exists. BlackMatter ransomware is noted to have continuously evolving updates to help evade detection. While the BlackMatter ransomware operation claimed it was shutting down in late 2021, our analysts have continued to observe samples detected as BlackMatter by multiple engines throughout 2022. Code from BlackMatter was reused in LockBit 3.0. BlackCat ransomware is considered a successor to BlackMatter and shares some similarities. While BlackMatter may no longer be a prominent threat in its original form, the apparent reuse of BlackMatter’s code and TTPs will likely continue into 2023.

Emotet
In late 2021, we reported on Emotet, a banking trojan thought to be inactive that suddenly reappeared in the wild. Emotet was considered dead after its takedown by law enforcement groups in January 2021. PolySwarm researchers saw new variants of Emotet in our marketplace on November 15, 2021, before any industry in-depth analysis reports were released. Industry researchers reported additional Emotet activity observed in May 2022. This activity involved a domain-wide compromise that began as a malicious document containing Emotet. In late 2022, a high-volume malspam campaign delivering Emotet has observed targeting countries worldwide. In this campaign, Emotet acted as a delivery network for other malware families. The Emotet group has been testing different initial access payloads and upgrading the malware’s functionality throughout 2022. The group is also increasingly using Cobalt Strike following Emotet intrusions. Despite setbacks, the threat actors responsible for Emotet have been persistent, and Emotet refuses to die. Our analysts expect Emotet to remain a force to be reckoned with in 2023.

IcedID
IcedID, also known as BokBot, is a modular banking trojan supporting a full-fledged stealer and next-stage implants, such as ransomware and Cobalt Strike beacons. IcedID has been updated multiple times over the last few years. IcedID is typically delivered via spam emails, but threat actors have recently evolved their TTPs to include new delivery methods. In late 2022, threat actors leveraged Google ads to advertise websites masquerading as sites distributing legitimate software. However, when the URL was clicked, victims were led to a fake landing page with a button to download a zip file. The zip file was a malicious archive that installed IcedID when clicked. In early January 2023, additional IcedID activity was observed. Threat actors created a phishing site masquerading as the Zoom website and are using this site to distribute IcedID. As threat actors continue to evolve IcedID’s code base and the TTPs used to deliver this malware, PolySwarm analysts expect to see additional IcedID campaigns in 2023.

Tracking Malware Threats With PolySwarm

PolySwarm tracked the above-mentioned malware samples and more in 2022 and will continue to do so in 2023.

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports