The 2024 IBM X-Force Threat Intelligence Index shows that attackers continue to turn to evade detection, spreading malware in 2023. The good news? Security improvements, such as Microsoft's default blocking of macro execution starting in 2022 and prohibiting OneNote from embedding files with potentially dangerous extensions by mid-2023, have changed the threat landscape for the better. The improved endpoint detection could also force attackers to abandon other techniques that were popular in 2022, such as the use of disk image files (e.g., ISOs) and HTML smuggling.
Of course, with these security improvements, attackers are forced to find entry points to successfully enter the organization, and in 2023, X-Force has observed that attackers, especially initial access, are increasingly turning to placing malicious links in emails to **subsequent payloads or append PDF files containing malicious links. Other important observations for 2023 include:
Among the executables used to propagate commodity malware are the Nullsoft Script Installation System (NSIS) executable as well as the.NET's use of mixers and packers has increased. Zip files continue to gain prominence as the most talked-about archives. More advanced threat actors have introduced new file types in the archives, such as internet shortcuts (.).url) files, the overall usage of which has increased significantly in 2023. There has been an increase in the exploitation of old vulnerabilities, such as CVE-2017-11882, which is the most prolific vulnerability in email campaigns. Adopting an increasingly complex chain of execution may be aimed at reducing detection rates and filtering out security researchers and automated sandboxes. This article describes the high-level changes observed by X-Force in threat actor email campaigns in 2023 and leverages the "senior superlative" tradition of American high schools to highlight notable activities and trends observed by X-Force over the last year, as well as examples. The article concludes with a look at what to expect in 2024 and what organizations can do to detect and improve their defenses.
The X-Force Threat Intelligence Index 2023 highlights how threat actors were forced to change tactics in 2022 when Microsoft began blocking macro execution in documents received via email or the internet by default. The trend away from malicious macros has become more pronounced as the presence of malicious Visual Basic Application (VBA) macros and Excel macro (XLM) files in Office documents has been observed in some campaigns in early 2023. Compared to the same period last year, X-Force has seen a 93% reduction in email spam containing malicious documents that exploit VBA macros, with little to no activity since the end of March, when X-Force observed their use in Emotet and Hive0133 campaigns.
Figure 1: Email volume with VBA and XLM documents in 2023. **x-force
The significant reduction in the use of malicious macros by attackers is a positive reflection of the fact that implementing certain changes to the environment can actually prevent malicious actors from gaining productive opportunities. However, as discussed later in this article, when an attacker closes one door, they try to enter through another.
As in 2022, X-Force discovered Qakbot and other activities that use HTML smuggling to harm victims last year. This evasion technique allows the attackers to use HTML 5 and J**Ascript running in the browser to dynamically decode or decrypt the payload embedded in the HTML and drop it into the victim's system. While most html smuggling activities took place in the month of March, activity was also observed in January, April, and May. HTML smuggling activity is down 96% year-over-year. This is true for X-Force evaluations, as endpoint detection continues to improve. Triggers the browser to "**local HTML files for some content are suspicious" in the absence of network traffic. Also, if the HTML files come with an encoded payload, they can be quite large – another opportunity to detect this activity.
In early 2023, X-Force also observed multiple organizations leveraging OneNote attachments at their events, including the initial visits** TA570 and TA577, known for delivering QakBot, and TA551, whose campaign focused on delivering Icedid. Other groups that use OneNote attachments include Emotet and Hive0126 (which overlaps with TA581), the latter of which attempts to spread the IceDid and Bumblebee malware.
Figure 2: OneNote email volume in 2023. **x-force
The short-lived but large-scale OneNote campaign launched by these threat actors took place in the first three months of the year. Notably, since March 2023, X-Force has observed very little activity using OneNote attachments. This may be because Microsoft took steps in April to block embedded files with "dangerous extensions."
In 2022, X-Force observed an increase in the use of malicious disk images (ISO, IMG) with Windows shortcut files (LNKs) to spread malware. This changed in 2023, with the use of ISO files dropping to just 3% of container archive deliveries, and IMG files likewise dropping to 139%。This may be due to the fact that email detection has been adjusted for threats from the previous year. There is very little legitimate use of disk images in e-mail, so it is easy to identify as suspicious.
In 2023, zip files are once again the most common transfer mechanism in archives (5407%), followed by rar files (20.).13%)。
Figure 3: Top archive extensions for 2023. **x-force
The majority of file types (more than 80%) contained in containers or archive attachments are Windows executables and are primarily used to deliver merchandise-stealers and RATs, such as Agent Tesla, which is the "most common malware" observed by X-Force in 2023. Evade detection as much as possible, though: X-Force has found a significant increase in Nullsoft Script Installation System (NSIS) executables, probably because NSIS is more difficult to scan because it works as a self-extracting archive. These installers are mostly found in 7z, RAR, and zip files, and account for more than 25% of executable files observed in spam emails in 2023. Another common technique is to usenet-based obfuscators and packers, e.g. eazfuscator,net-reactor, crypto-obfuscator, and roboski packers, which are used in more than 60% of executables observed by X-Force.
More advanced threat actors also turn to less common file types in the archives, such as internet shortcuts (.).URL) files, which are used in several large campaigns, as shown in Figure 4 below, including the one from HIVE0126. Overall, . .The usage of URL files, whether in an archive, directly attached to an email, or as part of a complex chain of execution, has increased dramatically in 2023.
Other examples of file types used for malicious spam include various script files, such as Batch, J**ascript, Windows script files, or Visual Basic. X-Force has also observed the use of . on Windows executablespif and .com extensions, which are less common but can also cause automatism if turned on by a Windows user.
Figure 4: The volume of emails that exploit uncommon file types in archives in 2023. **x-force
With a decrease in macros, disk images, and HTML smuggled files, X-Force has observed that threat actors, including initial access such as TA570, TA577, and HIVE0133**, are increasingly turning to using URLs placed directly in email or attached PDF files for their attacks. Malicious payloads. X-Force has also observed that Latin American distributors often use these techniques to spread banking Trojans such as Ousaban and Grandoreiro. It is likely that threat actors have adopted these techniques, as it is unlikely that a cyber defender or security solution will block emails with URLs or PDF attachments at scale, given the prevalence of URL or PDF attachments in legitimate communications. Other security researchers also spotted a trend of increased PDF usage early last year.
This dynamic forces cyber defenders to play a game of "whack-a-mole" to identify and flag or block potentially malicious URLs and PDF attachments before they can lead to dangerous infections, including ransomware attacks. X-Force has also observed that threat actors require the password provided in the email to open encrypted PDFs, hindering the ability to scan these PDFs for malicious URLs or other content. In other cases, threat actors have employed several evasion techniques unique to PDF files to obfuscate or otherwise hide URLs, making it more difficult to identify and extract embedded links for review and enable them to pass security solutions. An example of a TA577 activity using a malicious PDF attachment is provided in the Advanced Superlative section of the Most Dangerous Activities section below.
There is a tradition in high schools in the United States where graduating seniors are awarded "superlative" for being the best exemplar in a particular category, such as "most likely to succeed," "most outspoken," or "most popular." Utilizing these superlative content provides an effective way to highlight interesting activities, trends, and stats for 2023 from X-Force telemetry, as explained below.
The winner of the "Most Common Malware" in 2023 belongs to Agent Tesla, a popular infostealer active since 2014 on the underground market**. The top five most common malware include infostealers Formbook and Lokibot, remote access tools Remacos, and Snake Keylogger. These malwares are often spread in archives or through malicious office documents**, including those that exploit CVE-2017-11882 (see below).
Figure 5: The most common malware observed in spam emails in 2023. **x-force
Figure 6 provides an example of an e-mail campaign using the NSIS installer provided in the zip archive to send the Agent Telsa. As mentioned above, X-Force has also observed an increase in the use of NSIS installers to spread commodity malware.
Figure 6: Use the NSIS installer to send an email for the Agent Tesla Infostealer. **x-force
The winner in the "Most Concerned Exploits" category is CVE-2017-11882. Now that the simple approach of using macros has been mitigated, many threat actors are focusing on creating vulnerabilities for legacy and potentially vulnerable versions of MS Office and minimizing them. Notably, X-Force has observed a significant increase in the use of files that exploit the vulnerability CVE-2017-11882, a remote execution vulnerability in the Microsoft Office formula editor tool. Campaigns that exploit this vulnerability to spread commodity malware such as Agent Tesla, Remcos, Formbook, Lokibot, XWORM, and Asyncrat (to name a few) saw a big wave in 2023, with spikes in activity in March, May, and July, resulting in this vulnerability being most common in spam documents in 2023.
Figure 7: Number of emails leveraging CVE-2017-11882 in 2023. **x-force
Although patches have been released since November 2017, attackers can be vulnerable because they are counting on organizations that haven't applied security updates yet. In fact, attackers often exploit organizations that are overwhelmed by the task of identifying, prioritizing, and remediating vulnerabilities. Vulnerability management services can help organizations effectively handle this task, ensuring that high-risk vulnerabilities such as CVE-2017-11882 are found and remediated.
Figure 8: Malicious email exploits CVE-2017-11882 **formbook. **x-force
The "Most Dangerous Activity" category belongs to the Initial Visit** TA577, also known as "TR", tracked by X-Force as HIVE0118. The 2023 TA577 campaign used Qakbot until it was interrupted in August, after which they moved to Darkgate, Icedid, and Pikabot. X-Force has observed several TA577 email campaigns in the last year that led to successful Qakbot infections, and these campaigns have been observed to have led to the Blackbasta Ransomware attack. TA577 combines high-volume campaigns with email "threadjacking," in which attackers add malicious URLs or attachments to stolen emails to make them appear more legitimate. Since last spring, most TA577 campaigns have exploited malicious URLs or PDFs containing malicious URLs. The example below happened on December 22 and delivered pikabot.
Figure 9: TA577 thread hijacks email to deliver malicious PDF attachments. **x-force
Figure 10: PDF containing malicious URL, courtesy of the TA577 activity in Figure 9. **x-force
The most complex infection chain" originated from a campaign launched in mid-December 2023 by a distributor tracked as hive0137. Over the past year, threat actors have increasingly employs complex execution chains. The use of multiple sequential phases makes individual components and their behaviors less detectable and allows attackers to perform inspections at multiple different points throughout the infection process to filter out security researchers and automated sandboxes.
Hive0137 has been active since at least October, sending emails containing malicious PDF attachments or URLs that led to Darkgate, Netsupport, and a new loader called "T34 Loader". The Hive0137 campaign overlapped with Proofpoint's BattleRoyal cluster, which also noticed the complexity of its email campaigns. In the Hive0137 campaign that took place on December 19, 2023, X-Force discovered an extremely complex infection chain that delivered the T34 Loader. X-Force has previously observed the T34 Loader **Rhadamanthys stealer.
To ** and install the T34 loader, the campaign leverages an open redirect URL, the Keitaro Traffic Distribution System (TDS), remote configuration data, and four different files, including two .URL file, a user PE file, Snow Crypter, and T34 loader DLLs. Notably, the SNOW cipher was developed by a former member of the TrickBot Conti group (aka ITG23), suggesting a relationship between the threat actors who developed or used the T34 Loader and ITG23.
Figure 11: A Hive0137 email with a malicious URL starts a well-crafted execution chain. **x-force
Figure 12: The hive0137 activity uses a complex chain of executions to deliver the final payload.
Looking ahead to 2024, X-Force expects spammers to continue to employ new tactics, techniques, and procedures (TTP) to bypass security solutions and network defenses, and to convince users to execute email attachments and links. Especially:
Threat actors will continue to use URLs in emails and PDF attachments to initiate the execution chain. An email with a PDF attachment looks far more suspicious than an email with a disk image. Threat actors understand this and will use these methods to break through the first line of defense. Email distributors will increasingly adopt artificial intelligence and large language models (LLMs) to create more persuasive email content that prompts users to click on links or execute attachments. Spam emails that use poor grammar, broken English, or simple messages can usually be spotted quickly. That's set to change as participants leverage AI to help them create professional and polished emails. Increasingly complex multi-stage chains of infection are also likely to increase. There are already regular email campaigns that utilize multiple stages before delivering the final payload, with the goal of diverting the attention of security researchers and sandboxes and minimizing the act of passing through security defenses. Attackers may turn to unusual file types to support these execution chains, such as .URL attachments or script files (such as j**ascript or batch files). Good cyber hygiene will continue to play a key role in preventing the success of email-based attacks, such as regularly updating and patching applications, ensuring that antivirus software and related files are working properly and up-to-date, and being vigilant for any suspicious activity.