The threat landscape is highly diverse and attacks range in sophistication from the most basic scams to nation-state-level cyberespionage.
However, companies need to prioritise their defenses against the most common threats that are likely to impact them and their employees.
In its newly released annual State of Malware report, cybersecurity firm Malwarebytes selected five threats that they consider to be archetypes for some of the most common malware families observed in 2022:
- LockBit ransomware
- The Emotet botnet
- The SocGholish drive-by download
- Android droppers
- macOS Genio adware
"Protecting your business for the rest of 2023 requires one critical understanding: The most dangerous cyberthreats you will face are not the strangest attacks you will see on any given week, or the most sophisticated, or the most eye-catching. They are not even the most prevalent," the company said in its report.
"Instead, the most dangerous threats come from a set of known, mature tools and tactics that an entire ecosystem of cybercriminals rely upon to take in billions of dollars a year."
LockBit is the king of ransomware
Last year saw big changes in the ransomware threat landscape with highly successful gangs such as Conti shutting down operations.
The void was quickly filled by a plethora of other smaller groups. By far the stand out was LockBit, a ransomware-as-a-service (RaaS) operation that quickly innovated and attracted a large number of affiliates.
Affiliates are the cybercrime underground's mercenaries. Either lone hackers or groups of specialised individuals, they handle the initial access and lateral movement aspects of an intrusion before deploying the ransomware program they're affiliated with for a significant portion of the ransoms paid by victims.
Meanwhile the ransomware creators provide the software itself, the back-end infrastructure and handle the negotiation with victims.
LockBit is not a new threat and has been around since 2019, originally under the name ABCD.
For the first two years of its existence, the operation was overshadowed by bigger and more prolific groups such as Maze, Ryuk, and Conti that managed to attract most of the hacking talent.
This began to change in 2021 with the release of LockBit 2.0 but really exploded last year when LockBit 3.0 was launched and the entire affiliate program was revamped to make it more attractive to affiliates looking for work in the wake of Conti's demise.
LockBit "puts a lot of effort into marketing itself to affiliates, maintains a slick dark web website, conducts PR stunts, and pays bug bounties for finding flaws in its software," the Malwarebytes researchers said. "It claims to have 100 affiliates. So, if one is caught, the LockBit operation is not disrupted."
According to Malwarebytes' telemetry, LockBit was by far the most prolific ransomware operation last year, with 3.5 times the number of victims than the next most active ransomware: ALPHV.
Overall, one in three ransomware incidents in 2022 involved LockBit and the largest ransom demanded by the gang was $50 million.
The LockBit affiliates hit all types of businesses, from small law firms to large multinational corporations, and use various methods of gaining initial access, from abusing weak remote access credentials (RDP and VPN), to exploiting vulnerabilities in public-facing systems to phishing emails with malicious attachments.
Once inside the group destroys backups and uses lateral movement techniques to gain domain administrative access.
"If you can understand and address LockBit, you’ll greatly reduce the risk of any ransomware attack on your organisation," the Malware researchers said.
Emotet, the immortal botnet
Another big player in the cybercrime underground is Emotet, a botnet that serves as a delivery platform for other malware families, including some of the most prolific ransomware and Trojan programs in recent years.
Dating back to 2014, Emotet went through many iterations, originally starting out as a banking Trojan -- a program focused on stealing online banking credentials.
When that branch of cybercrime became less popular, the botnet's owners pivoted to malware distribution. Emotet's modular architecture makes it very flexible and easily customisable for different tasks.
Europol once called Emotet the world's most dangerous malware.
In 2021 law enforcement agencies from multiple countries including the US, the UK, Canada, Germany, and the Netherlands managed to take over the botnet's command-and-control infrastructure. The takedown attempt was short-lived and Emotet was soon rebuilt showing its resiliency.
In November 2022, the botnet returned with a new iteration, after a four-month break, distributing hundreds of thousands of malicious emails every day.
Using email as the primary delivery mechanism, Emotet's creators are specialised in spam lures, using techniques such as thread hijacking and language localisation. The latest spam campaign distributed archives with Excel files that contained malicious macros.
Post-deployment Emotet will drop additional malware in systems. In the past it used to install TrickBot, another botnet that had a close relationship with the Ryuk ransomware.
In the latest campaigns, the botnet was seen dropping the XMRig cryptominer and the IcedID Trojan, which itself is associated with other malware families.
Emotet will also steal contacts from Outlook accounts installed on computers and use them to send further spam emails and will attempt to crack the password of network shares.
"Because it infects and reinfects other machines so ferociously, removing Emotet from an organisation can be an extremely complex and costly task," the Malwarebytes researchers said. "In the city of Allentown, Pennsylvania, a single errant click caused an outbreak that cost a reported $1 million to remediate."
Just like LockBit is an archetype of modern ransomware programs, Emotet is the archetype for botnets that function as malware delivery platforms and are one of the initial access providers into enterprise networks.
Drive-by downloads alive and well with SocGholish
Drive-by downloads is a term used for malware threats that are delivered through websites instead of email.
Back in the days of browser plug-ins such as Java, Flash Player, and Adobe Reader, this used to be a popular technique because attackers could exploit vulnerabilities in outdated versions of those plug-ins.
However, the method is still used, even if it now requires user interaction and a bit of social engineering.
SocGholish is a remote access Trojan (RAT) that's used as a malware loader.
It's typically distributed via fake pop-ups about critical browser updates that are displayed on compromised websites or through malicious ads.
"SocGholish is simple, but its use of social engineering and target fingerprinting is effective enough to have compromised high profile companies and even critical infrastructure," the Malwarebytes researchers warn. "Its end goal is delivering ransomware, and it’s a threat to treat with respect.”
With mobile devices representing a large percentage of any company's fleet of devices, Android threats should not be neglected. Android droppers are Trojan programs that usually masquerade as legitimate applications or free versions of paid apps and are distributed from third-party app stores and various websites users might visit.
In general, they're not as easy to install as malware on Windows, because users need to change the default security settings and ignore warnings, but there have cases of malicious apps being discovered on the official Google Play store.
These droppers can be used to deploy other threats such as hidden ads, banking Trojans and apps that steal passwords, emails, record audio and take pictures.
"In 2022, droppers accounted for 14% of detections on Android," Malwarebytes said. "Other malware is more widespread, but droppers pose the greatest danger to organisations."
Adware is the most prevalent threat on Macs
Compared to Windows, the macOS malware ecosystem is much smaller, but threats do exist. One of the most prevalent type is adware -- applications that inject unwanted ads. One of the oldest such programs on macOS is called Genio and is used to hijack browser searches.
Like Android droppers, most macOS adware and malware in general is distributed as fake applications or updates. Genio used to masquerade as Flash Player updates or was bundled with video codecs, but these days it poses as PDF reading or video converter apps.
Once deployed Genio can be very hard to remove because it's very aggressive in hiding itself. It imitates system files and files belonging to other applications and uses code obfuscation.
It injects libraries into other processes, it exploits system flaws to grant itself permissions, installs browser extensions without consent, and manipulates users' password keychains.
"Though classified as adware, Genio has deployed an array of malware-like behaviors to dig further into the computers it’s installed on, piercing defenses and compromising security in the name of making itself extremely difficult to remove," the Malwarebytes researchers said about this threat that accounted for one in ten threat detections on macOS last year.