As we head into the final furlong of 2024, we caught up with Talos’ Head of Outreach Nick Biasini to ask him what sort of year it’s been so far in the threat landscape.
In this video, Nick outlines his two major areas of concern. He also focusses on one state-sponsored actor that has been particularly active this year (Clue: It rhymes with “Bolt Teaspoon”), and we talk about why the infostealer market has gone through a maturing phase, and why that’s an issue for defenders.
After you’ve watched the video, I’ve highlighted some of our threat spotlight blogs from the year so far below, which may be worth a revisit.
2024 in threat research:
Jan. 18: Exploring malicious Windows drivers
Drivers have long been of interest to threat actors, whether they are exploiting vulnerable drivers or creating malicious ones. Malicious drivers are difficult to detect and successfully leveraging one can give an attacker full access to a system. Part 1 of our Driver series served as a starting point for learning about malicious drivers while part 2, released in June, covered the I/O system, IRPs, stack locations, IOCTLs and more.
Feb. 8: New Zardoor backdoor used in long-term cyber espionage operation targeting an Islamic organization
Talos discovered a new, stealthy espionage campaign that likely persisted since at least March 2021. The observed activity affects an Islamic non-profit organization using backdoors for a previously unreported malware family we have named “Zardoor.”
Feb. 15: TinyTurla Next Generation — Turla APT spies on Polish NGOs
This backdoor we called “TinyTurla-NG” (TTNG) was similar to Turla’s previously disclosed implant, TinyTurla, in coding style and functionality implementation.
Feb. 20: Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns
Since September 2023, we observed a significant increase in the volume of malicious emails leveraging the Google Cloud Run service to infect potential victims with banking trojans.
Feb. 27: TimbreStealer campaign targets Mexican users with financial lures
Talos observed a phishing spam campaign targeting victims in Mexico, luring users to download a new obfuscated information stealer we’re calling TimbreStealer, which has been active since at least November 2023.
March 5: GhostSec’s joint ransomware operation and evolution of their arsenal
We observed a surge in GhostSec’s malicious activities this past year. GhostSec evolved with a new GhostLocker 2.0 ransomware, a Golang variant of the GhostLocker ransomware.
April 9: Starry Addax targets human rights defenders in North Africa with new malware
We disclosed a new threat actor we deemed “Starry Addax” targeting mostly human rights activists, associated with the Sahrawi Arab Democratic Republic (SADR) cause with a novel mobile malware.
April 16: Large-scale brute-force activity targeting VPNs, SSH services with commonly used login credentials
Talos actively monitored a global increase in brute-force attacks against a variety of targets, including Virtual Private Network (VPN) services, web application authentication interfaces and SSH services since at least March 18, 2024.
April 17: OfflRouter virus causes Ukrainian users to upload confidential documents to VirusTotal
During a threat-hunting exercise, Talos discovered documents with potentially confidential information originating from Ukraine. The documents contained malicious VBA code, indicating they may be used as lures to infect organizations.
April 23: Suspected CoralRaider continues to expand victimology using three information stealers
Talos discovered a new PowerShell command-line argument embedded in the LNK file to bypass anti-virus products and download the final payload into the victims’ host.
April 24: ArcaneDoor — New espionage-focused campaign found targeting perimeter network devices
ArcaneDoor was a campaign that was the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns.
May 22: From trust to trickery: Brand impersonation over the email attack vector
Cisco developed and released a new feature to detect brand impersonation in emails when adversaries pretend to be a legitimate corporation.
May 31: New banking trojan “CarnavalHeist” targets Brazil with overlay attacks
Since February 2024, Cisco Talos observed an active campaign targeting Brazilian users with a new banking trojan called “CarnavalHeist.” Many of the observed tactics, techniques and procedures (TTPs) were common among other banking trojans coming out of Brazil.
June 5: DarkGate switches up its tactics with new payload, email templates
DarkGate was observed distributing malware through Microsoft Teams and even via malvertising campaigns.
ShadowPad, widely considered the successor of PlugX, is a modular remote access trojan (RAT) only seen sold to Chinese hacking groups.
In recent investigations, Talos Incident Response observed the BlackByte ransomware group using techniques that depart from their established tradecraft.
You can always bookmark the Threat Source newsletter to keep up to date with all things Talos threat research.