Malware Trends Report: Q3, 2024
We’re excited to share ANY.RUN‘s latest malware trends analysis for Q3 2024.
Our quarterly update provides insights into the most widely deployed malware families, types, and TTPs we saw during the last 3 months of the year.
Summary
In Q3 2024, ANY.RUN users ran 1,090,457 public interactive analysis sessions, which is a 23.7% increase from Q2 2024. Out of these, 211,770 (19.4%) were marked as malicious, and 47,375 (4.3%) as suspicious.
Compared to the previous quarter, the percentage of malicious sandbox sessions increased slightly from 18.4% in Q2 2024 to 19.4% in Q3 2024. The share of suspicious sessions saw a decline from 7.0% to 4.3%.
As for indicators of compromise, users collected a total of 570,519,029 IOCs this quarter.
Top Malware Types in Q3 2024
Let’s take a closer look at the most common malware types identified by ANY.RUN’s sandbox.
Stealer: 16,511
Loader: 8,197
RAT: 7,191
Ransomware: 5,967
Miner: 3,880
Keylogger: 3,172
Backdoor: 811
Installer: 640
Trojan: 507
Compared to Q1 and Q2 of 2024, the ANY.RUN sandbox saw a significant increase in the detection of malware in Q3. A major reason for this is the growing number of public samples being uploaded by our 500,000-strong community of security analysts. Our team is also continuously improving the service’s capabilities, resulting in broader threat coverage.
Top malware types: highlights
In Q3, Stealers were the most common malware type detected, returning to the first spot since the start of the year after falling to the fourth place in Q2. They saw a serious rise in detections, reaching 16,511 in Q3.
Loaders maintained a strong presence, securing the second position for another quarter in a row. Their detections have seen a 49% rise from 5,492 to 8,197.
After leading in Q2, RATs dropped to the third spot, with 7,191 detections.
Trojan and Installer malware experienced a substantial decrease, shedding 3,704 and 2,466 detections correspondingly. Ransomware increased by 3,021, indicating a rise in this type of threat.
Top Malware Families in Q3 2024
Lumma: 4,140
AsyncRAT: 3,053
Remcos: 2,548
Agent Tesla: 2,316
XWorm: 2,188
Stealc: 2,030
Snake: 1,782
MetaStealer: 1,663
Cobalt Strike: 1,262
Top malware families: highlights
In Q3 2024, the malware landscape saw notable shifts. Despite not being present on the Q2 ranking, Lumma emerged as the leading threat, recording 4,140 instances.
AsyncRAT went from 670 detections in Q2 to 3,053 in Q3, followed by Remcos whose detections almost doubled from 1,282 to 2,548.
Agent Tesla also showed an increase, jumping from 439 detections to 2,316, which is still more than its Q4 2023 result, when it topped the malware families chart.
Several new families made their debut in Q3, including XWorm with 2,188 detections and Stealc with 2,030.
Top MITRE ATT&CK techniques in Q3 2024
The MITRE ATT&CK framework categorizes adversary behavior into tactics and techniques, helping malware analysts more efficiently identify, assess, and respond to threats.
Here are the top 20 techniques observed in Q3 2024:
#
MITRE ATT&CK Technique
№ of detections
1
Impair Defenses: Disable Windows Event Logging, T1562.002
63,027
2
Command and Scripting Interpreter: PowerShell, T1059.001
46,155
3
Command and Scripting Interpreter: Windows Command Shell, T1059.003
41,384
4
Masquerading: Rename System Utilities, T1036.003
41,254
5
Virtualization/Sandbox Evasion: Time Based Evasion, T1497.003
39,021
6
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, T1547.001
23,937
7
System Binary Proxy Execution: Rundll32, T1218.011
21,896
8
Scheduled Task/Job: Scheduled Task, T1053.005
16,718
9
Masquerading: Match Legitimate Name or Location, T1036.005
15,594
10
Phishing: Spearphishing Link, T1566.002
15,110
11
Credentials from Password Stores: Credentials from Web Browsers, T1555.003
14,723
12
System Services: Service Execution, T1569.002
14,257
13
Email Collection: Local Email Collection, T1114.001
10,807
14
Create or Modify System Process: Systemd Service, T1543.002
10,558
15
Scheduled Task/Job: Systemd Timers, T1053.006
10,558
16
Impair Defenses: Disable or Modify Tools, T1562.001
6,917
17
Command and Scripting Interpreter: Unix Shell T1059.004
6,634
18
Command and Scripting Interpreter: Visual Basic T1059.005
6,602
19
Software Discovery: Security Software Discovery T1518.001
6,258
20
Virtualization/Sandbox Evasion: System Checks T1497.001
6,003
Top TTPs: Q3 2024 vs Q2 2024
The first three spots were taken accordingly by:
T1562.002, Impair Defenses: Disable Windows Event Logging — new entry.
T1059.001: Command and Scripting Interpreter: PowerShell — up from the 7th spot in Q2.
T1059.003, Command and Scripting Interpreter: Windows Command Shell — rose from the 6th spot, nearly doubling in detections.
The worthy mentions:
T1114.001, Local Email Collection, was pushed down from the top spot in Q2 to the 13th position with 10,807 detections.
T1036.003, Rename System Utilities, dropped from the 3d spot in the previous quarter to 4th, registering 41,254 instances.
T1497.003, Time Based Evasion, despite falling to the 5th spot from 2nd in Q2, saw an increase in detections, bringing the figure to 39,021.
Report methodology
For our report, we looked at data from 1,090,457 interactive analysis sessions. This information comes from researchers in our community who contributed by running public analysis sessions in ANY.RUN.
About ANY.RUN
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
Integrate ANY.RUN’s services in your organization →
The post Malware Trends Report: Q3, 2024 appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More