In the usual cat-and-mouse game with defenders, the second half of 2024 has seen the cybercriminals keeping busy, finding security loopholes and innovative ways to expand their victim pool. As a result, we’ve seen new attack vectors and social engineering methods, new threats skyrocketing in our telemetry, and takedown operations leading to shake-ups of established cybercriminal ranks.
Infostealers are one of the threat categories to experience a reshuffle, with the long-dominant Agent Tesla malware dethroned by Formbook – a well-established threat designed to steal a wide variety of sensitive data. Despite being around for almost a decade, Formbook continues to attract a wide criminal user base thanks to its malware-as-a-service (MaaS) model and continuous development.
Lumma Stealer, a newer addition to the infostealer scene, and another MaaS, is becoming increasingly sought after by cybercriminals: appearing in several notable malicious campaigns in H2 2024, ESET telemetry saw its detections shoot up almost 400% between reporting periods. RedLine Stealer, another notorious “infostealer as a service”, met a very different fate: after a takedown by international authorities in October 2024, RedLine Stealer appears to have reached the end of its line. We can, however, expect that its demise will lead to the expansion of other similar threats, eager to fill its place.
Unsurprisingly, with cryptocurrencies reaching record values in H2 2024, cryptocurrency wallet data was one of the prime targets of malicious actors. In our telemetry, this was reflected in a rise in cryptostealer detections across multiple platforms. Curiously, the increase was the most dramatic on macOS, where so-called Password Stealing Ware – heavily targeting cryptocurrency wallet credentials – more than doubled compared to H1. Further, Android financial threats, targeting banking apps as well as cryptocurrency wallets, grew by 20%.
Android and iOS users alike should be on the lookout for a novel attack vector, caught in the wild and analyzed by ESET researchers in H2 2024. In these attacks, cybercriminals have leveraged Progressive Web App (PWA) and WebAPK technologies to bypass traditional security measures tied to mobile apps. Since neither PWAs nor WebAPKs require users to grant explicit permissions to install apps from unknown sources, mobile users may end up unwittingly installing malicious apps that steal banking credentials. And unless there’s a change in how mobile platforms approach these technologies, we anticipate that more sophisticated and varied phishing campaigns utilizing PWAs and WebAPKs will emerge.
Social media waters have become even more murky recently, with a flood of new scams cropping up, using deepfake videos and company-branded posts to lure victims into fraudulent investment schemes. These scams, tracked by ESET as HTML/Nomani, saw a 335% increase in detections between reporting periods, and we don’t expect their growth to slow down.
H2 2024 also gave rise to a new scam targeting users of popular accommodation booking platforms, such as Booking.com and Airbnb. Using a toolkit named Telekopye, originally developed to defraud people on online marketplaces, the scammers use compromised accounts of legitimate accommodation providers to single out people who have recently booked a stay, then target them with fraudulent payment pages.
The ransomware landscape was reshaped by the takedown of former leader LockBit, creating a vacuum to be filled by other actors. RansomHub, a ransomware as a service first spotted in H1 2024, stacked up hundreds of victims by the end of H2 2024, establishing itself as the newly dominant player.
I wish you an insightful read.
Follow ESET research on Twitter for regular updates on key trends and top threats.
To learn more about how threat intelligence can enhance the cybersecurity posture of your organization, visit the ESET Threat Intelligence page.
