HomeCybersecurity Lifehacks
Malware Trends Overview Report: 2023 
HomeCybersecurity Lifehacks
Malware Trends Overview Report: 2023 

Let’s take a moment to reflect on 2023. We’ve analyzed the most prevalent malware families, types, and TTPs of the year, and we’re bringing you the highlights in this article. 

This report is based on the analysis of 2,991,551 public tasks created by our community in 2023. Out of these, 817,701 were tagged as malicious, and 148,124 as suspicious. Overall, ANY.RUN helped the cybersecurity community identify 640,158,713 IOCs in 2023.  

Top Malware Types in 2023 

Let’s begin by taking a closer look at the most common types of malware identified by ANY.RUN’s sandbox. In 2023, loaders, stealers, and RATs took the lead with 24,136, 18,290, and 17,431 detections respectively. Around 15,630 detections were attributed to trojans:  

  • Loader: 24,136 
  • Stealer: 18,290 
  • Remote Access Trojan (RAT): 17,431 
  • Trojan: 15,630 
  • Ransomware: 12,820 
  • Installer: 8,541 
  • Keylogger: 4,049 
  • Backdoor: 1,779 
  • Miner: 1,043 

Analyze malware and collect IOCs in ANY.RUN 

Register for free


Top Malware Families in 2023  

In terms of malware families, Redline was by far the most popular (9205 detections), spotted more than twice as frequently as the second-most used malware Remcos (4407 detecitions). Redline is popular among cybercriminals because it’s easy to buy online and it can evade detection through polymorphic code, rootkit functionalities, and intricate obfuscation methods. 

Get the latest Redline IOCs and read more about this malware family in ANY.RUN’s Malware Trends Tracker. 

Top MITRE ATT&CK techniques in 2023 

MITRE ATT&CK is a widely recognized framework used globally. It categorizes various adversary actions into tactics and techniques. It’s an essential tool for malware analysts to identify, assess, and address threats more effectively. 

ANY.RUN has a MITRE ATT&CK report that matches malware actions to specific techniques. In 2023, we made over 1.2 million matches, allowing us to put together this spreadsheet of TTPs adversaries employed most frequently in 2023: 

MITRE ATT&CK Technique   Count 
T1036.005 Masquerading: Match Legitimate Name or Location  486,058 
T1518.001 Software Discovery: Security Software Discovery  235,295 
T1569.002 System Services: Service Execution  119,695 
T1114.001 Email Collection: Local Email Collection  87,962 
T1218.011 System Binary Proxy Execution: Rundll32  79,501 
T1059.003 Command and Scripting Interpreter: Windows Command Shell  75,300 
T1036.003 Masquerading: Rename System Utilities  62,078 
T1497.003 Virtualization/Sandbox Evasion: Time Based Evasion  51,394 
T1204.002 User Execution: Malicious File  47,720 
T1053.005 Scheduled Task/Job: Scheduled Task  40,453 
T1059.001 Command and Scripting Interpreter: PowerShell  36,593 
T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder  27,761 
T1059.005 Command and Scripting Interpreter: Visual Basic  23,188 
T1562.001 Impair Defenses: Disable or Modify Tools  23,084 
T1555.003 Credentials from Password Stores: Credentials from Web Browsers  21,194 
T1574.002 Hijack Execution Flow: DLL Side-Loading  19,939 
T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification  12,492 
T1059.007 Command and Scripting Interpreter: JavaScript  11,814 
T1564.001 Hide Artifacts: Hidden Files and Directories  8,993  

Top TTPs: highlights: 

  • Masquerading Techniques (T1036.005): There’s a notable prelevance of Masquerading: Match Legitimate Name or Location technique. This indicates how common obfuscation via deceptive filenames and paths has been in 2023. This technique employs mimicry tactics to bypass heuristic detection. Effective countermeasures include behavioral analysis, focusing on anomaly detection in process tree execution and scrutinizing file path irregularities. 
  • Security Software Discovery (T1518.001): Software Discovery: Security Software Discovery is indicative of sophisticated adversaries targeting security mechanisms. This method is a hallmark of APTs and targeted ransomware campaigns. 
  • Increased Use of System Services for Execution (T1569.002): We’re seeing a lot of malware use system services to stay hidden and live of the land. This is a common technique in rootkits and sophisticated malware. This approach exploits system services to execute code at elevated privileges. 
  • Email Collection: Local Email Collection (T1114.001): This technique takes place with malware that focuses on stealing sensitive information from emails, specifically from local email files such as cache or Outlook files. 

Report methodology  

In our report, we analyzed data from 2,991,551 tasks sent to our public threat database. This information is from researchers in our community who helped by running tasks in ANY.RUN. 

About ANY.RUN  

ANY.RUN is a cloud malware sandbox that handles the heavy lifting of malware analysis for SOC and DFIR teams. Every day, 300,000 professionals use our platform to investigate incidents and streamline threat analysis.    

Request a demo today and enjoy 14 days of free access to our Enterprise plan.     

Request demo → 

What do you think about this post?

1 answers

  • Awful
  • Average
  • Great

No votes so far! Be the first to rate this post.

0 comments