Malware Takedowns Show Progress, But Fight Against Cybercrime Not Over

In its 2023 Adversary Infrastructure Report, published on January 9, 2024, Recorded Future analyzed the effect of three malware takedown operations that took place in 2023 or before: The March 2023 attempt to take down unlicensed versions of commercial red-teaming product Cobalt Strike, a joint project between Microsoft, the Health Information Sharing and Analysis Center (Health-ISAC), and Fortra, the software company that owns Cobalt Strike In the cases of Cobalt Strike and QakBot, law enforcement operations had a significant impact in the short term and malicious activity linked with the two tools dropped drastically in the month following the operation. However, malicious activity linked with both tools quickly started growing again according to Recorded Future’s observations.

The use of ‘cracked’ versions of Cobalt Strike returned to previous levels after one month after criminals using the software affected by the takedown effort could simply set up new infrastructure after the initial takedown occurred. The resurgence of QakBot, however, has been limited and criminals had to find new ways of exploiting the malware, such as returning to older versions or crafting updated versions.

As for Emotet, Recorded Future observed that the malware disappeared and returned multiple times between the initial takedown action in 2021 and 2023. Emotet operations post-takedown were also affected by Microsoft disabling VBA macros in documents in July 2022, these macros were a primary initial access vector for Emotet. In May 2023, the Emotet operations tracked by Recorded Future disappeared. These operations resurfaced briefly a few weeks later before another lengthy and possibly final disappearance. Emotet activity has not shown signs of resurgence at the time of writing.

Analyst Comments:
Recorded Future concludes that broad-scale infrastructure takedowns hinder purely criminal malware like QakBot and Emotet at the tactical level. However, on a strategic level, cybercriminals not apprehended easily shift to other intrusion tools. In 2023, 36,022 malicious servers were detected, more than double the 2022 count of 17,233. Despite Cobalt Strike's partial takedown, it remained the top offensive tool, with QakBot and Emotet ranking among the leading botnets. The report also ranks the top 20 remote access Trojans (RATs), emphasizing threat actors' focus on blending in rather than undetectability. Notably, RedLine Stealer and Raccoon Stealer dominated the infostealer landscape.

Suggested Corrections:
To help safeguard systems, we advise the following:

  • Keep systems and software up-to-date and maintain a reliable and tested backup method.
  • Threat actors often exploit exposed perimeter servers, including those for remote access, to gain initial access into a target's network. If remote access solutions are crucial to daily operations, implement multi-factor authentication for all remote access services (such as Citrix or RDP).

The Full PDF from Recorded Future in its entirety is located here: