The Avast Q4/2023 Threat Report chronicles a record year of attacks, highlighted by the revival of Qakbot, a surge in PDF-based social engineering, and expanding menace across adware, information stealers, ransomware, and mobile threats. It also covers notable campaigns like Lumma’s Google OAuth cookie abuse, the DDosia botnet, and law-enforcement actions against BlackCat and Babuk decryptors. #Qakbot #AgentTesla #Lumma #DDosia #BlackCat #Chameleon
Keypoints
- PDF Threat Landscape dominates: social engineering via PDFs (phishing, scams) delivering payloads such as AgentTesla, with 10M+ PDF attacks blocked and 4M+ users protected.
- Q4/2023 saw Qakbot rebound and overlap with Pikabot, with Qakbot adopting 64‑bit architecture and AES for strings.
- Info-stealers pivot to abuse Google OAuth cookies using the MultiLogin API, expanding capabilities of Lumma, Rhadamanthys, and others.
- Adware remains active, using DNS record switches and a large share of unknown strains; top adware DNS domains are identified (e.g., agriculturalpraise[.]com, formationwallet[.]com).
- Botnets and RATs evolve: Qakbot resurgence, Twizt payloads including VNC brute‑force, and new/returning RATs like Krasue and SugarGh0st; Lazarus expands ISO+LNK loaders and new Dlang-based RATs.
- Ransomware activity persists with LockBit and ALPHV/BlackCat disruptions; Enigma shows a significant jump, and BlackCat’s site was seized by authorities.
- Mobile threats rise, notably Chameleon re‑emergence, SpyLoans on PlayStore, Xamalicious spyware, and WhatsApp/Telegram spyware mods.
MITRE Techniques
- [T1566] Phishing – Social engineering drives PDF threat campaigns and scam delivery. “Social engineering is always present in the work of cyberthreats, and we can analyze the typical behaviors used to fool users.”
- [T1059.007] VBScript – Infection chains in regional APT campaigns include VBScript, BAT files, AutoIT scripts leading to backdoors. “infection chain … including VBScript, BAT files, AutoIT scripts, and eventually leading to the deployment of a custom backdoor.”
- [T1059.001] PowerShell – PowerShell is used in infection workflows and to download payloads; spear‑phishing often accompanies it. “spyware, PowerShell and .NET stealers, and spear-phishing as an infection vector.”
- [T1574.001] DLL Side-Loading / Sideloading – MustangPanda and others frequently sideload by exploiting legitimate software processes to load malware. “the frequent use of sideloading, a method where they load malware by exploiting legitimate software processes.”
- [T1105] Ingress Tool Transfer – Payloads downloaded from legitimate infrastructure via PowerShell or similar, as observed in campaigns. “PowerShell to download two payloads from legitimate infrastructure.”
- [T1572] DNS Tunneling / Protocol Tunneling – DNS-based threats use DNS tunneling and rogue DNS servers to hide C2. “DNS-based threats … DNS tunneling, DNS cache poisoning, DNS fast fluxing, or using rogue/malicious DNS servers.”
Indicators of Compromise
- [Domain] Adware DNS domains – agriculturalpraise[.]com, formationwallet[.]com, plundertentative[.]com, supportedbushesimpenetrable[.]com, nutsmargaret[.]com, facilitypestilent[.]com, suchbasementdarn[.]com, usetalentedpunk[.]com – adware DNS switching used to obfuscate C2 and traffic.
- [Domain] Additional adware shares and known domains – (54% unknowns; SocialBar 38%; DealPly 2%; Neoreklami 1%).
- [URL] Google MultiLogin endpoint used to recover authentication cookies – http://g.co/mydevices (and the associated MultiLogin API endpoint).
Read more: https://decoded.avast.io/threatresearch/avast-q4-2023-threat-report/