Takedown of malware infrastructure by law enforcement has proven to have an impact, albeit limited, on cybercriminal activity, according to threat intelligence provider Recorded Future.
In its 2023 Adversary Infrastructure Report, published on January 9, 2024, Recorded Future analyzed the effect of three malware takedown operations that took place in 2023 or before:
- The Emotet takedown, led by Europol and Eurojust in 2021
- The March 2023 attempt to take down unlicensed versions of commercial red-teaming product Cobalt Strike, a joint project between Microsoft, the Health Information Sharing and Analysis Center (Health-ISAC), and Fortra, the software company that owns Cobalt Strike
- The QakBot takedown, led by the FBI in August 2023
In the cases of Cobalt Strike and QakBot, law enforcement operations had a significant impact in the short term and malicious activity linked with the two tools dropped drastically in the month following the operation.
However, malicious activity linked with both tools quickly started growing again according to Recorded Future’s observations.
The use of ‘cracked’ versions of Cobalt Strike returned to previous levels after one month after criminals using the software affected by the takedown effort could simply set up new infrastructure after the initial takedown occurred.
The resurgence of QakBot, however, has been limited and criminals had to find new ways of exploiting the malware, such as returning to older versions or crafting updated versions.
As for Emotet, Recorded Future observed that the malware disappeared and returned multiple times between the initial takedown action in 2021 and 2023.
Emotet operations post-takedown were also affected by Microsoft disabling VBA macros in documents in July 2022, these macros were a primary initial access vector for Emotet.
In May 2023, the Emotet operations tracked by Recorded Future disappeared. These operations resurfaced briefly a few weeks later before another lengthy and possibly final disappearance. Emotet activity has not shown signs of resurgence at the time of writing.
“The Emotet takedown is an example of an attempted takedown of a very well-organized and well-constructed command and control (C2) network with built-in resilience, which was still able to operate post-takedown,” reads the report.
“The ultimate effectiveness of the takedown was likely due to the friction created by the takedown effort on the malware operators, which, combined with other factors, led to its eventual demise.”
Takedowns Add Friction to Malware Operations
The Recorded Future researchers concluded that for purely criminal malware, such as QakBot and Emotet, broad-scale infrastructure takedowns have a significant effect “on at least the tactical level, as operations are immediately hindered.”
However, they also insisted that, on a strategic level, cybercriminals who are not taken into custody can easily move on to using other intrusion tools and techniques.
Read more: FBI's QakBot Takedown Raises Questions: 'Dismantled' or Just a Temporary Setback?
Takedowns cannot be viewed as a singular solution for cybercrime and malware operations, they concluded.
Therefore, law enforcement agencies should continue infrastructure takedowns on a regular basis, while exploring other options to make cybercriminals’ work more difficult.
Additionally, Recorded Future observed that cybercriminals were increasingly developing new ways to work undetected.
On the one hand, Russian state-sponsored actors tend to add legitimate internet services to their repertoire and update their C2 infrastructure with a rapid cadence, making changes weekly or even daily.
On the other, China-affiliated actors are increasingly using – and sharing – anonymization networks constructed of compromised Internet of Things (IoT) systems, routers, and other devices.
Twice As Many Malicious Servers Used in 2023
Recorded Future detected 36,022 malicious servers in 2023, representing over twice as many as in 2022 in which 17,233 malicious servers were identified.
Cobalt Strike was the top offensive security tool used by cybercriminals, despite its partial takedown, and QakBot and Emotet ranked among the top four botnets used for nefarious motives.
Read more: Four in Five Cyber-Attacks Powered by Just Three Malware Loaders
The report also ranked the 20 most used remote access Trojans (RAT), with a top five made of two open-source tools, AsyncRAT and Quasar RAT, and of three well-established tools, PlugX, ShadowPad, and DarkComet.
According to the Recorded Future researchers, this shows that “threat actors are more concerned with blending in and being non-attributable rather than being undetectable, or have simply determined that their targets are not likely to detect even these well-known tools.”
Finally, Recorded Future noticed that, while many infostealers have been used by cybercriminals over the past year, RedLine Stealer and Raccoon Stealer have clearly been dominating the scene.