According to threat intelligence provider Recorded Future, law enforcement’s removal of malicious infrastructure has been shown to have an impact, albeit limited, on cybercriminal activity.
In his Adverse Infrastructure Report 2023Published on January 9, 2024, Recorded Future analyzed the effect of three malware removal operations that took place in 2023 or earlier:
- The withdrawal of Emotet, led by Europol and Eurojust in 2021
- The March 2023 attempt to remove unlicensed versions of the commercial red team product Cobalt Strike, a joint project between Microsoft, the Health Information Sharing and Analysis Center (Health-ISAC), and Fortra, the company proprietary software from Cobalt Strike.
- The withdrawal of QakBot, run by the FBI in August 2023
In the cases of Cobalt Strike and QakBot, law enforcement operations had a significant short-term impact and malicious activity related to both tools dropped drastically in the month following the operation.
However, malicious activity related to both tools quickly began to grow again according to Recorded Future’s observations.
Use of “cracked” versions of Cobalt Strike returned to previous levels a month after criminals using software affected by the takedown effort were able to simply set up new infrastructure after the initial takedown.
QakBot’s resurgence has been limited, however, and criminals have had to find new ways to exploit the malware, such as rolling back to older versions or creating updated versions.
As for Emotet, Recorded Future observed that the malware disappeared and reappeared several times between the initial takedown action in 2021 and 2023.
Emotet’s post-removal operations were also affected by Microsoft’s disabling of VBA macros in documents in July 2022, these macros were the primary initial access vector for Emotet.
In May 2023, the Emoticon Operations followed by Recorded Future disappeared. These operations resurfaced briefly a few weeks later before another long and perhaps permanent disappearance. Emotet activity has shown no signs of resurgence as of this writing.
“The dismantling of Emotet is an example of an attempt to dismantle a very well-organized and well-constructed command and control (C2) network, with built-in resilience, that was still capable of functioning after dismantling,” can we read in the report.
“The ultimate effectiveness of the takedown was likely due to the friction the takedown efforts created on the malware’s operators, which, combined with other factors, ultimately led to its demise.”
Takedowns Add Friction to Malware Operations
Recorded Future researchers concluded that for purely criminal malware, such as QakBot and Emotet, large-scale infrastructure takedowns have a significant effect “at least at the tactical level, as operations are immediately hampered.”
However, they also emphasized that, strategically, cybercriminals who are not stopped can easily use other intrusion tools and techniques.
Read more: FBI takedown of QakBot raises questions: ‘Dismantled’ or just a temporary setback?
Takedowns cannot be seen as a one-size-fits-all solution to cybercrime and malware operations, they concluded.
Therefore, law enforcement should continue to steadily dismantle infrastructure, while exploring other options to make the work of cybercriminals more difficult.
Additionally, Recorded Future observed that cybercriminals were increasingly developing new ways of working without being detected.
On the one hand, Russian state-sponsored actors tend to add legitimate Internet services to their repertoire and update their C2 infrastructure at a rapid pace, making weekly or even daily changes.
On the other hand, China-affiliated actors are increasingly using and sharing anonymization networks consisting of compromised Internet of Things (IoT) systems, routers, and other devices.
Twice as many malicious servers used in 2023
Recorded Future detected 36,022 malicious servers in 2023, more than twice as many as in 2022, when 17,233 malicious servers were identified.
Cobalt Strike was the top offensive security tool used by cybercriminals, despite its partial removal, and QakBot and Emotet ranked among the top four botnets used for nefarious purposes.
Read more: Four in five cyberattacks powered by just three malware loaders
THE report also ranked the 20 most used remote access trojans (RATs), with the top five consisting of two open source tools, AsyncRAT and Quasar RAT, and three well-established tools, PlugX, ShadowPad and DarkComet.
According to Recorded Future researchers, this shows that “threat actors are more concerned with blending in and being unattributable rather than being undetectable, or have simply determined that their targets are not likely to detect even these well-known tools.
Finally, Recorded Future noted that while many infostealers have been used by cybercriminals over the past year, RedLine Stealer and Raccoon Stealer clearly dominate the scene.