As the new year kicks off, it’s time to take a retrospective look at the past year’s malware landscape. Let’s see what the top malware families, Types, Tactics, Techniques, and Procedures (TTPs) used by attackers in 2023 can tell us about what to expect in 2024.
Data source and methodology
We utilized data from ANY to gain insights into the cybersecurity threats of 2023. ANY.RUN, a malware analysis sandbox. This service analyzes thousands of files and links users submit worldwide, providing valuable information on emerging and persistent threats.
In Q4 2023 alone, ANY.RUN analyzed over 748,000 files and links, identifying over 210 million indicators of compromise (IOCs).
Try ANY.RUN Yourself with a 14-day Free Trial
More than 300,000 analysts use ANY.RUN is a malware analysis sandbox worldwide. Join the community to conduct in-depth investigations into the top threats and collect detailed reports on their behavior..
Top Malware Types in 2023
In 2023, ANY.RUN detected most malware as three different types, with loaders leading the way and stealers and RATs following.
Loaders, the gateway for more sophisticated malware, remained a significant threat throughout the year.
Their primary function is to download and install malicious payloads onto infected systems, often opening the door for further attacks. The increasing accessibility of loaders and the decreasing price tag will likely make them a persistent threat in 2024.
In a notable development, stealers, which focus on stealing financial information and personal data, became the second most prevalent malware type in 2023 despite significantly surging in Q4 with 6,662 detections.
They are poised to remain a major concern in 2024, particularly as cybercriminals seek to exploit the growing reliance on online banking and e-commerce.
RATs, which grant attackers remote access to and control of infected devices, remained the most versatile type of malware, capable of various malicious activities, from data theft to espionage.
Despite earning their spot as the most common malware type in Q2, they only became #3 in 2023. RATs are expected to become more prevalent in 2024 as attackers continue to exploit their effectiveness for various malicious purposes.
Top Malware Families in 2023
Four of the top five malware families in 2023 were remote access Trojans (RATs), largely dominating the malware family landscape.
Remcos (1,385 detections in Q1) and AgentTesla (1,769 detections in Q4) were the two most prevalent examples, closely followed by NjRAT and AsyncRAT.
The popularity of the first two can be attributed to several factors, including ongoing developer support, affordable pricing, and a diverse range of malicious capabilities.
Having been in operation for over 8 years, Remcos and AgentTesla are positioned to remain significant threats in 2024.
However, the title of most popular malicious software of the year went to the Redline stealer, with the largest number of instances detected by ANY.RUN in Q2.
Operable on a malware-as-a-service (MaaS) model, Redline’s ease of use and affordable subscription make it a preferred choice for cybercriminals worldwide.
Its extensive arsenal, including data theft, keylogging, file exfiltration, and loader functionalities, ensures its continued prominence in 2024.
Top MITRE ATT&CK TTPs in 2023
In Q4, ANY.RUN discovered the use of T1036.005 in over 98,500 malicious samples.
Attackers frequently mimic legitimate file names to appear trustworthy and avoid detection. Due to its effectiveness and ease of use, it will likely remain prevalent in 2024.
T1218.011 is another popular TTP that exploits Rundll32, a legitimate Windows DLL, to execute malicious code, allowing attackers to bypass security measures that typically protect against unsigned code execution. Since it remains a reliable method for executing malicious code without triggering security alerts, it will retain popularity in 2024.
Ranking third with 20,097 detections in Q4, T1059.003 is based on the abuse of the Windows Command Shell to execute commands and scripts on compromised systems.
It is often used to install malware, steal data, and escalate privileges. Its versatility will likely help it sustain its position as a top TTP in 2024.
T1036.003 deserves special attention because, despite coming in sixth place overall, it became a crucial TTP that attackers used in Q3 and Q4 of 2023.
This technique allows attackers to bypass security solutions by renaming system utilities. Having gained traction for the past two quarters, T1036.003 stands a good chance of maintaining its popularity in the early stages of 2024.
Try ANY.RUN for free
More than 300,000 analysts use ANY.RUN, a malware analysis sandbox worldwide. Join the community to conduct in-depth investigations into the top threats and collect detailed reports on their behavior.
Try all features of ANY.RUN at zero cost for 14 days with a free trial.