Kaspersky Security Bulletin

Crimeware and financial cyberthreats in 2024

At Kaspersky, we constantly monitor the financial cyberthreat landscape, which includes threats to financial institutions, such as banks, and financially motivated threats, such as ransomware, that target a broader range of industries. As part of our Kaspersky Security Bulletin, we try to predict how these cyberthreats will evolve in the coming year to help individuals and businesses to be prepared to face them. In this article, we will first assess our predictions for 2023, and then, try to figure out which trends are coming in 2024.

Review of last year’s (2023) predictions: how we fared

  1. Web3 and the rise of threats:

    True. The prediction suggested that Web3, led by the gaming and entertainment sectors, would continue to gain traction and face increasing threats. We highlighted the growing popularity of cryptocurrencies and anticipated an increase in crypto scams. The forecast correctly emphasized that users had become more aware of crypto and would not easily fall for primitive scams. However, according to the cybersecurity firm Certik, crypto theft was indeed on the rise, with nearly $1 billion lost to scams, rug pulls, and exploits throughout 2023, making this prediction true.

  2. Malware loaders on the underground market:

    True. The prediction anticipated that malware loaders would become a major commodity in the cybercriminal underground market. It correctly pointed out that attackers were paying more attention to downloaders and droppers to evade detection. The appearance of ASMCrypt and the evolving techniques for downloading payloads without detection supported the prediction. This trend aligns with the growing interest in malicious loaders, making this prediction true.

  3. Increase in red team penetration testing frameworks:

    False. The prediction suggested that cybercriminals would deploy more red team penetration testing frameworks for their malicious activities, some examples being Cobalt Strike and Brute Ratel C4. However, the review indicated that no other similar developments had been observed beyond these tools, making the prediction false. This suggests that the trend of cybercriminals using penetration testing frameworks might not have been as widespread as expected in 2023.

  4. Ransomware payment methods:

    False. The prediction about a shift away from Bitcoin as the primary method for ransom payments due to sanctions and regulatory changes turned out to be false. Although the financial landscape and regulations evolved, Bitcoin continues to be the preferred method to pay ransom. The usage of cryptocurrencies combined with the usage of mixer systems was the method of choice for major RaaS groups.

  5. Ransomware groups and destructive activity:

    True. The prediction that ransomware gangs would shift their focus from financial interests to more destructive activities including political demands was confirmed in 2023. Examples like CryWiper, a wiper posing as ransomware, or Roadsweep ransomware rendering victim files irrecoverable, support this trend, indicating a shift in their motivations and tactics. rendering victim files irrecoverable, support this trend. Ransomware groups indeed began making demands for political actions rather than just ransom money, indicating a shift in motivations and tactics.

In summary, the predictions for 2023 proved largely accurate. They correctly anticipated the rising threats in the Web3 and cryptocurrency space, the prominence of malware loaders in the underground market, and changes in ransomware motivations. However, the forecast about the increase in red team penetration testing frameworks did not materialize as expected, with limited evidence of this trend beyond Cobalt Strike and Brute Ratel C4. The prediction about ransomware operators increasingly shifting from Bitcoin to other payment methods was not fulfilled, either. To evade tracking, cybercriminals relied on Bitcoin mixers to obfuscate their transactions.

Financial cybersecurity predictions for 2024

The year 2024 is poised to be a challenging period for financial cybersecurity, with cybercriminals employing increasingly sophisticated tactics and technologies to exploit vulnerabilities in the financial sector. This report outlines several key predictions based on emerging trends and threats including the growing use of AI, the rise of direct payment system fraud, the global adoption of Automated Transfer Systems (ATS), the internationalization of Brazilian banking trojans, the evolution of ransomware tactics, and more.

  1. Increase in AI-powered cyberattacks:

    In 2024, the financial industry is expected to face an upsurge in cyberattacks that leverage machine learning tools. Cybercriminals will employ generative AI to mimic legitimate ads, emails, and other means of communication, making it a challenge to distinguish between genuine and fake content. This AI-driven approach will lead to a proliferation of lower-quality campaigns, as the entry barrier for cybercriminals will lower, and the potential for deception will rise.

  2. Fraudulent schemes targeting direct payment systems

    With the increasing popularity of direct payment systems like PIX in Brazil, FedNow in the USA, and UPI in India, cybercriminals will exploit these platforms for fraudulent schemes. Expect to see the emergence of clipboard malware designed to support new direct payment systems. Additionally, mobile banking trojans will increasingly exploit these systems as a quick and efficient means of cashing out ill-gotten gains.

  3. Global adoption of Automated Transfer Systems (ATS)

    Mobile Automated Transfer System (ATS) attacks are a fairly new technique, which involves banking malware making fraudulent transactions when the user logs in to the banking app. While only a few Brazilian malware families are currently using mobile ATS, the global adoption of mobile banking and A2A transfer systems will lead to the malware expanding beyond Brazilian borders. Mobile banking trojans will adopt ATS techniques for quick cashout, moving away from Brazil-centric usage. This shift will make it easier for cybercriminals worldwide to exploit these systems for financial gain.

  4. Resurgence of Brazilian banking trojans

    As many Eastern European cybercriminals have shifted their focus to ransomware, Brazilian banking trojans will fill the void left by desktop banking trojans. Families like Grandoreiro have already expanded abroad, targeting more than 900 banks in 40 countries. Their ambitions are to become the new ZeuS, and this trend is not unique to Grandoreiro, as other families share similar aspirations.

  5. Ransomware target selection

    Ransomware groups will become more selective in their target choices to maximize their chances of receiving payment or demanding higher ransom amounts. This strategic approach will lead to more targeted and damaging attacks on financial institutions and organizations.

  6. Open-source backdoored packages

    A rise in open-source backdoored packages will be a troubling trend in 2024. Cybercriminals will exploit vulnerabilities in widely used open-source software, compromising security and potentially leading to data breaches and financial losses.

  7. Decrease in 0-days, increase in 1-day exploits

    Crimeware actors will reduce their reliance on zero-day vulnerabilities and instead turn to 1-day exploits. This shift may be driven by the increased scarcity of zero-days and the growing demand for more reliable and accessible attack methods.

  8. Exploitation of misconfigured devices and services

    We expect an increase in exploitation and abuse of misconfigured devices and services that are publicly accessible when they should not be. Cybercriminals will capitalize on these weaknesses to gain unauthorized access and launch attacks.

  9. Fluid composition of affiliate groups

    Affiliate groups in the cybercrime ecosystem will exhibit a more fluid structure, with members frequently switching between, or working for, multiple groups simultaneously. This adaptability will make it hard for law enforcement to track and combat cybercrime effectively.

  10. Cybercriminals will increasingly use less popular or cross-platform programming languages like Golang and Rust to create malware and exploit vulnerabilities. This trend, exemplified by the emergence of MarioLocker, written in Golang in Colombia, will make it harder to detect and mitigate cyberthreats.

  11. Emergence of hacktivist groups

    Socio-political conflicts will lead to a rise in hacktivist groups that focus on disrupting critical infrastructure and services. These groups will pose a significant threat to financial institutions and other organizations that are vital to the functioning of society.

The financial cybersecurity landscape in 2024 will be characterized by evolving threats, increased automation, and the persistence of cybercriminals. Financial institutions and organizations must adapt their cybersecurity strategies to address these challenges proactively, and safeguard their assets and sensitive data. Collaboration between the public and private sectors will be essential to combating the growing financial cybersecurity risks in the year ahead.

Crimeware and financial cyberthreats in 2024

Your email address will not be published. Required fields are marked *

 

Reports

How to catch a wild triangle

How Kaspersky researchers obtained all stages of the Operation Triangulation campaign targeting iPhones and iPads, including zero-day exploits, validators, TriangleDB implant and additional modules.

Subscribe to our weekly e-mails

The hottest research right in your inbox