In January, our analysts made various predictions for the 2023 threat landscape. In this report, we present malware trends and observations that correlate with those predictions.
Key Takeaways
In January, our analysts predicted an increase in ransomware and other malware written in Go or Rust. This includes both new malware and new variants of existing malware families. This year, we have observed multiple families written in Go, including DeadBolt and Mirai. There were also multiple families written in Rust, including SysJoker and Akira.
Earlier this year, our analyst predictions included an increase in mobile malware and a continued increase in malware targeting Linux systems and IoT devices. These predictions were accurate, with multiple new malware families and renewed campaigns targeting Android and iOS devices as well as Linux systems.
The malware families we reported on that were observed targeting mobile devices included Godfather, Hook, Wroba.o, Nexus, Anatsa, SecuriDropper, AhRAT, WyrmSpy, DragonEgg, SpyNote, Goldoson, and BadBazaar.
Malware targeting Linux or IoT devices included SprySOCKS, BiBi-Linux, SysUpdate, IceFire, and PingPull. Ransomware families releasing a Linux variant included Monti, Cl0p, and Royal.
Additionally, we saw an increase in malware targeting MacOS, with several ransomware families gaining a MacOS variant. Malware we reported on that targeted MacOS included Realst, a Go-based proxy, MacStealer, RustBucket, and Geacon. Ransomware families releasing a Mac variant included LockBit. The LockBit Mac variant is thought to be the first time a big name ransomware gang has targeted MacOS systems.
Our analysts predicted there would be continued activity targeting Russia and Ukraine. This prediction also proved to be true, as the Russia-Ukraine conflict has continued throughout 2023. We provided a spotlight on this activity here. In 2023, we also observed a large amount of cyber activity in the Gaza region due to the ongoing conflict that ignited an all-out war in October. We provided a spotlight on cyber activity in the Gaza region in 2023 here.
Our analysts predicted software supply chain attacks would also continue. We observed multiple instances of software supply chain attacks. Carderbee targeted entities in Hong Kong and other regions of Asia via a supply chain attack leveraging the legitimate Cobra DocGuard software. In another campaign, threat actors leveraged a 0 day attack embedded in three PyPI packages. Affected packages included ‘colorslib’, ‘httpslib’, and ‘libhttps’. All three packages were published in early January by a user known as Lolip0p and were used to deliver a Wacatac payload. In yet another supply chain attack, Labyrinth Chollima, a North Korea nexus threat actor group associated with Lazarus, was observed targeting 3CX. In this supply chain attack, the threat actors targeted both Windows and MacOS versions of 3CX’s desktop application.
Our analysts predicted an increase in cybercrime targeting cryptocurrency. In one campaign, threat actors used Parallax RAT to target entities in the cryptocurrency sector. Kinsing threat actors were observed leveraging CVE-2023-46604, a vulnerability affecting Apache ActiveMQ, to infect Linux systems with cryptominers and rootkits. Other campaigns targeting cryptocurrency used a variety of malware families, including BunnyLoader, PennyWise, and Titan Stealer.
In January, our analysts predicted that ransomware gangs and other financially motivated threat actors would find new avenues of extortion and that new Crime as a Service offerings would emerge.
One unique TTP we observed was the approach used by Rhysida ransomware gang. Rather than directly demanding a ransom payment, the ransom note dropped on the victim machine appears to be an alert from the Rhysida “cybersecurity team” warning victims that their system has been compromised and their files are encrypted. As a solution, the victim must pay for a “unique key” to use to decrypt the files.
Another unique TTP we observed followed ALPHV’s compromise of the software company MeridianLink. The threat actors followed up on the attack by filing a U.S. Securities and Exchange Commission complaint against the victim for not complying with the SEC’s four-day cyberattack disclosure rule.
Finally, new crimeware-as-a-service offerings we observed in 2023 included Meduza Stealer. Additionally, some existing ransomware as a service (RaaS) offerings expanded in 2023, including ShadowSyndicate.