Darktrace reports continued rise in Malware-as-a-Service threats

These insights – observed by Darktrace's threat research team using Self-Learning AI across its database of nearly 10,000 customers spanning all major industries globally – detail a shifting threat landscape that continues to grow in complexity and is marked by the rising sophistication of common threats.

Cybercrime-as-a-Service: threats persist

The persistence of CaaS models, particularly so Ransomware-as-a-Service (RaaS) and MaaS, is growing rapidly as less experienced threat actors access new tools to carry out disruptive attacks.

According to the Darktrace report, the use of MaaS tools rose by 17% in the latter half of 2024 from 40% in the first six months to 57% of campaign activity identified by the threat research.

The use of remote access trojans also saw a significant increase in the latter half of the year, representing 46% of campaign activity identified, compared to only 12% in the first half. Remote access trojans allow an attacker to remotely control an infected device, enabling them to conduct further malicious activity such as data exfiltration, credential theft or surveillance. This underscores the rising complexity and increased risk of day-to-day threats.

Darktrace’s threat research team tracked several ransomware threats impacting customers, from novel strains like Lynx to re-emerging threats including Akira, RansomHub, Black Basta, Fog and Oilin. While these groups have been observed frequently using phishing as an attack vector, there has also been a shift towards more sophisticated techniques.

The latter include the use of legitimate tools like AnyDesk and Atera to mask Command and Control (C2) communications, Living off the Land (LOTL) techniques for lateral movement, data exfiltration to commonly used cloud storage services and the use of file transfer technology for rapid exploitation and double extortion methods.

Inboxes under siege

Phishing remains attackers’ preferred technique, with over 30.4 million phishing e-mails detected across Darktrace’s customer fleet between December 2023 and December last year. The techniques observed highlight how threat actors continue to curate more targeted and sophisticated e-mails to improve the success of their campaigns.

Of all the phishing e-mails detected in 2024:

*38% were spear phishing attempts (tailored attacks on high value individuals)

*32% used novel social engineering techniques like QR codes and AI-generated text

*70% successfully passed the widely used DMARC authentication approach

*55% passed through all existing security layers ahead of Darktrace detection

Darktrace also observed an increase in threat actors targeting third party services upon which employees rely (such as Zoom Docs, QuickBooks, HelloSign, Adobe and Microsoft SharePoint) in order to send phishing e-mails. By leveraging trusted platforms and domains, malicious actors can bypass traditional security measures and increase the likelihood of their phishing attempts being successful. These efforts highlight precisely how threat actors continually adapt and evolve to keep pace with the emergence of new technologies that represent different avenues to exploit.

Nathaniel Jones, vice-president of threat research at Darktrace, commented: “e-mail is at the forefront of the evolving threats we’re seeing across the threat landscape. Ransomware-as-a-Service tools, combined with the growing use of AI, are allowing even low-skilled attackers to engineer and launch convincing and targeted e-mail attacks at scale, while also making it harder than ever for traditional security measures to keep up.”

Evading detection via edge device vulnerabilities

Threat actors are increasingly focused on evading detection rather than causing disruption, often leveraging vulnerabilities in edge, perimeter or Internet-facing devices to gain initial access to networks and then using LOTL techniques (ie the malicious use of legitimate tools present on a system) to remain undetected.

The most significant campaigns observed in 2024 involved the ongoing exploitation vulnerabilities in edge and perimeter network technologies, with 40% of identified campaign activity in the first half of the year involving the exploitation of Internet-facing devices.

Darktrace detected anomalous malicious activity on Palo Alto firewall devices as early as 26 March on customer networks, now recognised as evidence of PAN-OS exploitation, 17 days prior to public disclosure on 12 April.

In addition to vulnerabilities, Darktrace has also observed threat actors increasingly using stolen credentials to log into remote network access solutions like VPNs in order to gain initial access to networks. Following initial access, threat actors will use legitimate tools and processes already present on infected systems to achieve their goals, while in parallel remaining undetected.

Many traditional tools struggle to identify and stop these attacks as differentiating between legitimate use by administrators and malicious use by attackers is challenging without an established baseline of normal user behaviour. While often used by more sophisticated actors like Advanced Persistent Threats (APTs), smaller criminal enterprises also benefit from exploiting native tools, saving time and money by avoiding the need for custom malware development that might be blocked by traditional security tools once indicators of compromise are published.

Increased sophistication

“The combination of CaaS, automation and AI are increasing the sophistication and diversity of attack techniques faster than ever, from AI-enhanced phishing campaigns through to evolving ransomware strains,” added Nathaniel Jones. “Detecting and responding to threats in progress is no longer sufficient. Organisations must prioritise cyber resilience by proactively addressing weaknesses across systems, people and data before attackers can exploit them.”

*Download copies of the Darktrace 2024 Annual Threat Report