Q4 2023 Cyber Threat Landscape Report: Threat Actors Breach the Outer Limits

Kroll’s Q4 analysis shows ransomware groups increasingly gaining initial access through external remote services. The quarter presented a complex security landscape with a mix of both positive and negative trends: positively, activity associated with larger ransomware-as-a-service (RaaS) operations, like LOCKBIT and BLACKCAT, declined. However, negative patterns continued, like the ongoing focus of threat actors on the professional services industry (continuing a key trend from Q3 and earlier on in 2023).

Interestingly, there was a notable drop in phishing attempts in Q4 in comparison to Q3. However, this was counterbalanced by the continued evolution of these phishing tactics, for example with a rise in the use of QR codes. Linked to this, yet another trend we observed following on from Q3 was the ongoing dominance of business email compromise (BEC) attacks. 

Kroll observed the renewal of other familiar threats in Q4, such as a rise in ransomware. Even previously terminated malware groups, like the one behind QAKBOT, regrouped and redefined their strategies (with, for example, a reply-chain phishing campaign delivering PIKABOT). These and other trends observed in Q4 2023 point to a testing 2024 for organizations.

Q4 2023 Threat Timeline

Malware Trends and Analysis

Kroll actively tracks malware C2 infrastructure, submissions to public sandboxes and active IR and MDR case data to generate lists of the most active malware strains for comparison.

Top 10 Malware Strains – Q4 2023

Malware and Ransomware Steal the Limelight

Like Q3, Q4 saw some dramatic changes to the malware and ransomware landscape, with many being a direct result of law enforcement activity to disrupt and degrade the infrastructure of some of the most prolific types. In August, the QAKBOT botnet was heavily disrupted, leading to infrastructure changes and a significant drop in QAKBOT infections in Q3. However, the attempts of threat actors to rebuild the botnet put it firmly back in the top 10 list in Q4. In yet another twist to the tale, although QAKBOT is featured high up on our quarterly trend list, we did not observe any successful infections. 

Notably, the threat actor tracked by Kroll as KTA248 (TA577, TR), as well as one of the actors operating huge QAKBOT campaigns, began deploying new malware strains to gain initial access into corporate environments. This meant that while in Q3 we saw significant increases in DARKGATE, PIKABOT tops our list for Q4. Both malware strains are operated by KTA248 as a potential successor to QAKBOT. Kroll observed a significant overlap between PIKABOT and QAKBOT infrastructure from early- to mid-2023. In November, Kroll noted a reply-chain phishing campaign delivering PIKABOT.

Infostealers also make up more of the quarterly top 10 in Q4, with LUMMASTEALER (LUMMAC2) and STEALC seeing significant upticks. Throughout 2023, and especially in Q4, Kroll witnessed significant increases in infostealer activity, the development of capabilities and new entrants to the market.

Underground Usage of Infostealer Malware on the Rise

Q4 2023 saw the strengthening of the trend in which infostealer malware has become its own ecosystem in the cybercriminal underground. Infostealer logs are a significant factor in the initial access broker market: threat actors who specialize in selling access they have gained to corporate environments to ransomware operators who then complete the attack chain and extort the victim.

Infostealers are most commonly deployed via phishing, malvertising and fake or misleading posts on social media. This means there is often little specific targeting of individuals or organizations, although this is possible. Threat actors hope to infect as many individuals as possible to collect as many credentials as they can. However, this often presents an unseen risk to corporate environments as employees' personal machines can become infected. These might contain credentials that provide access to corporate credentials or present a threat from their reuse, enabling threat actors to test them against edge services such as VPN, email platforms or application gateways.

One of the most common varieties of infostealer we currently encounter is REDLINESTEALER.

REDLINESTEALER

REDLINESTEALER, or simply REDLINE, is available on underground forums through a monthly subscription service that gives an attacker access to the REDLINE panel and the ability to pack the malware and collect the logs of stolen information. Its main functionality is to steal data such as passwords, credit card information, usernames, locations, cookies and hardware configuration from infected systems. REDLINE collects this data from a number of sources, including installed browsers, such as SQLite databases, VPN credentials and Cryptocurrency wallets, such as files containing *.wallet

If REDLINE is found to have been executed on a device, it is safe to consider that any credentials stored locally on that device have been compromised. REDLINE can also download files, making it likely that further payloads could be deployed to a victim device should a threat actor require more functionality depending on their objectives (e.g., high bandwidth data exfiltration or ransomware).

In Q4, Kroll investigated a surge in cases in which users downloaded a file associated with REDLINE. In this instance, the lure was a PDF converter software, where it was likely that the users were searching for a legitimate copy of a tool or, as in some cases, victims were searching for innocuous phrases such as “printable calendars” or “business models.” However, the malicious “pdfconvertercompare[.]com" site was presented early in the search results. This site is still active and serving malware as of January 2024.

Free Exfiltration Mechanisms Scale up the Infostealer Threat

Because infostealer malware is commonly sold as part of a service, threat actors running the services will often look to free services as a scalable solution to control the malware and use it as a method of exfiltration. Infostealers are sold directly on Telegram and use the same service to control and host extracted victim data. Similarly, VIDAR has used Steam usernames to host C2 information and many infostealers will use services such as Discord for storage of exfiltrated data. For these reasons, Kroll recommends blocking Steam, Telegram and Discord domains if they are not used for business activities.