Unpacking the 2024 Cyber Underworld: A Technical Deep Dive into Malicious Infrastructure

Drawing upon the insights from Recorded Future's 2024 Malicious Infrastructure Report, this technical brief delves into the key trends, prevalent threats, and evolving tactics observed in the cybercriminal landscape throughout the year. Understanding the intricacies of malicious infrastructure is paramount for security professionals seeking to bolster their defenses and proactively mitigate risks. This analysis provides a comprehensive overview, highlighting critical shifts and persistent challenges in the ever-dynamic realm of cyber threats.

The Dominance of Malware-as-a-Service (MaaS) Infostealers

A significant trend identified in the 2024 report is the ascendancy of Malware-as-a-Service (MaaS) infostealers, with LummaC2 emerging as the dominant player. This rise can be attributed to several factors, including law enforcement pressure on competing infostealers like RedLine Stealer, which was dismantled as part of Operation Magnus. LummaC2's rapid innovation, including its use of multiple blockchains for retrieving code and C2 addresses, further solidified its leading position. This highlights the agility and sophistication of modern MaaS offerings, providing advanced evasion tactics to a wider range of cybercriminals. Notably, eight of the top ten infostealers operated under the MaaS model in 2024, many with roots in Russia-linked cybercriminal ecosystems. These platforms often sell stolen data logs on underground forums, emphasizing the lucrative nature of information theft.

Persistent Threats: Cobalt Strike and Remote Access Trojans (RATs)

Despite the emergence of new threats, established offensive security tools (OSTs) and remote access trojans (RATs) maintained significant prevalence. Cobalt Strike remained the top OST, accounting for approximately two-thirds of identified C2 servers. Its continued dominance is linked to its ease of use, extensive capabilities, flexibility, widespread familiarity, relative difficulty of detection and removal, and the availability of its leaked source code. The jQuery Malleable Profile was the most popular for Cobalt Strike C2 servers employing malleable profiles, used by both cybercriminals and state-sponsored groups due to its ability to blend in with legitimate web traffic. Notably, the cs2modrewrite profile targeted the most victim countries, indicating its widespread deployment for evading profiling and investigation.

Among RATs, AsyncRAT and QuasarRAT persisted as the top remote access tools. AsyncRAT notably surpassed the combined C2 volume of the next nine RATs, accounting for 50% of all RAT C2 detections in 2024. Four of the top ten RATs were open-source, reflecting the continued adoption of cost-effective and accessible tools, although their open nature can also lead to easier detection. Additionally, DcRAT, WARZONE RAT, and REMCOS RAT operated under a MaaS model, further emphasizing the "as-a-service" trend across different malware categories.

Evolving Evasion Techniques: Leveraging Legitimate Infrastructure and Anonymization

Threat actors increasingly adopted sophisticated evasion techniques to conceal their malicious activities. Chinese state-sponsored groups expanded their use of relay networks built from compromised IoT devices or provisioned VPS to conceal their activity, blend with legitimate traffic, and enable rapid infrastructure rotation. The discovery of the ArcSilt malware, which compromised thousands of SOHO routers globally, underscores the scale and potential impact of these relay networks.

Russian threat actors adapted by extensively using legitimate internet services (LIS) such as Ngrok, Cloudflare, and Telegram to evade detection. This tactic allows them to blend into legitimate network traffic, making upstream infrastructure identification and tracking more challenging. The BlueDelta group's shift to Ngrok for credential harvesting campaigns after law enforcement takedowns illustrates the adaptability of these actors.

The abuse of Content Delivery Networks (CDNs) like Cloudflare and Akamai surged in 2024. Cloudflare, for instance, accounted for over 90% of validated LummaC2 detections, highlighting its consistent use for masking malicious infrastructure. Akamai Connected Cloud was leveraged by a broader range of threats, including RATs, loaders, and infostealers. This trend is expected to continue due to the anonymity and obfuscation these platforms provide.

Traffic Distribution Systems (TDS) continued to play a crucial role in cybercrime by improving efficiency, targeting, and profitability while evading detection. TAG-124, a prominent TDS, served a broad user base, including ransomware groups like Rhysida, demonstrating the interconnectedness of different elements within the cybercriminal ecosystem.

Victimology: Global Reach with Regional Concentrations

The 2024 report provided extensive victimology analysis based on Recorded Future Network Intelligence, identifying victims in approximately 200 countries worldwide. The United States consistently appeared as a top target across various malware categories, likely due to its large population, extensive digital footprint, and role as a global infrastructure hub. However, other regions exhibited significant victim counts and specific malware prevalence. Brazil emerged as a hotspot for RATs and infostealers, with QuasarRAT and AsyncRAT being particularly prevalent. Notably, Cuba and Peru showed high concentrations of Rhadamanthys Stealer victims, indicating potentially targeted or opportunistic campaigns. Android remained the primary target for mobile malware, with Hook leading in C2 server volume, partly due to its source code leak. Türkiye experienced a high proportion of Octo Banking Trojan infections, highlighting regional targeting trends.

The Impact and Limitations of Law Enforcement Takedowns

2024 witnessed numerous law enforcement takedowns targeting various cybercriminal operations, including those associated with Grandoreiro, LockBit, and the malware delivery platforms disrupted in Operation Endgame. While these operations offer several benefits, such as temporarily disrupting activities and collecting intelligence, the report emphasizes the resilience of the cybercriminal ecosystem. Groups often adapt quickly, develop new variants, or leverage alternative tools and infrastructure. For instance, despite the disruption to IcedID in Operation Endgame, Latrodectus, created by the same developer, gradually filled its void. This highlights the need for sustained and multifaceted approaches, including international collaboration, sanctions, and indictments, to effectively combat cybercrime.

Implications for Defenders and Mitigation Strategies

The findings of the 2024 Malicious Infrastructure Report offer crucial insights for strengthening security controls. Defenders should prioritize:

• Threat Landscape Monitoring: Continuously monitor the evolving threat landscape to understand the latest tools, infrastructure tactics, and targeted regions.
• DNS and Web Filtering: Implement robust DNS and web filtering to block known malicious domains and prevent access to suspicious sites, acknowledging the use of compromised infrastructure.
• Controlled Access to Legitimate Internet Services (LIS): Carefully evaluate and restrict access to LIS that are not essential for business purposes to mitigate their abuse for C2 communication.
• LIS Activity Investigation: Flag and analyze the use of LIS, considering context such as API usage, originating subnetworks, and communicating processes.
• Enhanced Detection through Simulations: Regularly conduct attack simulations to test the effectiveness of detection mechanisms against evolving threats and specific TTPs.
• Advanced Threat Detection Tools: Leverage threat intelligence platforms and tools like YARA, Sigma, and Snort rules to identify and respond to suspicious activity.
• Network Monitoring and Intelligence: Utilize network monitoring solutions and threat intelligence feeds to identify or block communication with suspicious or malicious destinations and detect early signs of exfiltration.

Looking Ahead: Trends to Watch in 2025

Insikt Group anticipates a continuation of existing trends in malicious infrastructure in 2025. This includes the further expansion of the "as-a-service" ecosystem across various threat categories. Threat actors are expected to increasingly leverage legitimate tools and internet services to evade detection, a tactic pioneered by state-sponsored groups that is likely to trickle down to cybercriminal operations. The abuse of CDNs is also expected to persist. With growing mobile reliance, mobile-based threats are likely to rise, with social engineering tactics becoming more prevalent. While primarily used by Chinese state-sponsored groups, relay networks may see broader adoption by other threat actors. Finally, while often facing challenges, law enforcement actions are expected to become more effective due to enhanced international cooperation and expertise.

Conclusion

The 2024 Malicious Infrastructure Report paints a detailed picture of a dynamic and adaptive cyber threat landscape. The dominance of MaaS infostealers, the persistent use of established OSTs and RATs, and the increasing sophistication of evasion techniques highlight the ongoing challenges faced by security professionals. Understanding these trends, coupled with proactive monitoring and robust mitigation strategies, is crucial for organizations seeking to navigate the complexities of the modern cyber underworld and protect their valuable assets. The anticipated continuation of these trends into 2025 underscores the need for continuous vigilance and adaptation in the face of evolving malicious infrastructure.