Malware Trends: April - June 2024
Across the board increase in malware activity in 2Q 2024
The April - June 2024 time period was a busy one for malware actors. Sites reported for hosting endpoint malware and IoT malware increased more than twofold (227% and 235%, respectively. We again identified more than 1 million unique IPv4 addresses as sources for malicious traffic (attackware and traffic injectors). Unique domain names used to host malware dropped but this had no impact on overall malware activity. Visit Malware Activity: Key Statistics: April - June 2024.
Endpoint Malware
For April - June 2024, we identified 71,539 sites hosting endpoint malware, up from 31,506 in the prior quarter.
Gafgyt and Remcos were the most reported backdoors (RATs), as they have been over the past 366 days.
FormBook passed the Qakbot and Hook families as the most reported infostealers. The Tesla infostealer family has persistenly held the number two infostealer spot.
The loader category has been “competitive”, with six loader (families) appearing in the top and second spots throughout the past 366 days.
Malware is increasingly “Powered by WordPress”
WordPress blog sites used for malware accounted for nearly all the ~14,000 malicious documents reported this period. These malware often add malicious redirects or spam links to illegal pharma sites, or link to a drive-by malware executable.
We also saw an uptick in malicious scripts. We collected over 39,000 reports of malicious scripts during this period, well more than triple the number from the prior quarter. Many scripts or derivatives of scripts are reported, but few with sufficient metadata to classify by name.
Attackware and Traffic Injectors
IPv4 addresses reported for exhibiting characteristics of attackware and traffic injectors exceeded 1 million… again!
Over 70% of the 1million IPv4 addresses were Malicious IP traffic sources. ~145 of these were classified as attackware or traffic injectors.
Attackware increases are indicators that attackers are scanning for opportunities to disrupt or break into targeted systems or services,
The increased in traffic injector reports shows that attacks against web sites that use PHP or HTTP, or Web forums with comments that containing inappropriate or malicious content continues to be a major threat.
Malware Hosting
We again identified over 1M addresses reported for hosting malware. Bharat Sanchar Nigam, China UNICOM China 169, and Chinanet Telecom occupy the three top spots in our Malware activity in Hosting Networks (ASNs) for April - July 2024.
These ASNs have occupied the top spots in every quarterly period since July 2023. After holding second for most of the past year, Bharat Sanchar Nigam recently unseated Chinanet Telecom as the king of the malware hosting hill. This is not a title an operator can be proud of.
IoT Malware
Nearly all the approximate 100,000 reports of hosted IoT Malware were identified as Mozi.
The majority of IPv4 addresses associated with IoT Malware were geolocated in China and India.
China and India greatly outdistance the United States (2,343), United Kingdom (1,378) and Russian Federation (762), who filled out the top five.
Hosting networks that complete the top 20 can be found at Malware Activity in Hosting Networks (ASNs) April 1,2024 - June 30,2024.
