HomeCybersecurity Lifehacks
Malware Trends Report: Q3, 2024
HomeCybersecurity Lifehacks
Malware Trends Report: Q3, 2024

We’re excited to share ANY.RUN‘s latest malware trends analysis for Q3 2024.

Our quarterly update provides insights into the most widely deployed malware families, types, and TTPs we saw during the last 3 months of the year.

Summary

Users launched over 1M sandbox sessions in Q3 2024

In Q3 2024, ANY.RUN users ran 1,090,457 public interactive analysis sessions, which is a 23.7% increase from Q2 2024. Out of these, 211,770 (19.4%) were marked as malicious, and 47,375 (4.3%) as suspicious.  

Compared to the previous quarter, the percentage of malicious sandbox sessions increased slightly from 18.4% in Q2 2024 to 19.4% in Q3 2024. The share of suspicious sessions saw a decline from 7.0% to 4.3%.  

As for indicators of compromise, users collected a total of 570,519,029 IOCs this quarter.

Collect threat intel on the latest malware and phishing campaigns with TI Lookup 

Get 20 free requests

Top Malware Types in Q3 2024   

Stealers dominated the threat landscape in Q3 2024

Let’s take a closer look at the most common malware types identified by ANY.RUN’s sandbox. 

Compared to Q1 and Q2 of 2024, the ANY.RUN sandbox saw a significant increase in the detection of malware in Q3. A major reason for this is the growing number of public samples being uploaded by our 500,000-strong community of security analysts. Our team is also continuously improving the service’s capabilities, resulting in broader threat coverage. 

Top malware types: highlights  

In Q3, Stealers were the most common malware type detected, returning to the first spot since the start of the year after falling to the fourth place in Q2. They saw a serious rise in detections, reaching 16,511 in Q3.  

Loaders maintained a strong presence, securing the second position for another quarter in a row. Their detections have seen a 49% rise from 5,492 to 8,197.

After leading in Q2, RATs dropped to the third spot, with 7,191 detections. 

Trojan and Installer malware experienced a substantial decrease, shedding 3,704 and 2,466 detections correspondingly. Ransomware increased by 3,021, indicating a rise in this type of threat.  

Top Malware Families in Q3 2024   

Lumma, AsyncRAT and Remcos became top threats in Q3 2024

Top malware families: highlights 

In Q3 2024, the malware landscape saw notable shifts. Despite not being present on the Q2 ranking, Lumma emerged as the leading threat, recording 4,140 instances. 

AsyncRAT went from 670 detections in Q2 to 3,053 in Q3, followed by Remcos whose detections almost doubled from 1,282 to 2,548.  

Agent Tesla also showed an increase, jumping from 439 detections to 2,316, which is still more than its Q4 2023 result, when it topped the malware families chart. 

Several new families made their debut in Q3, including XWorm with 2,188 detections and Stealc with 2,030.

ANY.RUN cloud interactive sandbox interface


Learn to Track Emerging Cyber Threats

Check out expert guide to collecting intelligence on emerging threats with TI Lookup

Top MITRE ATT&CK techniques in Q3 2024

Disable Windows Event Logging became top TTP in Q3 2024

The MITRE ATT&CK framework categorizes adversary behavior into tactics and techniques, helping malware analysts more efficiently identify, assess, and respond to threats.

Here are the top 20 techniques observed in Q3 2024: 

#   MITRE ATT&CK Technique     № of detections  
1   Impair Defenses: Disable Windows Event Logging, T1562.002   63,027 
2   Command and Scripting Interpreter: PowerShell, T1059.001  46,155 
3   Command and Scripting Interpreter: Windows Command Shell, T1059.003  41,384 
4   Masquerading: Rename System Utilities, T1036.003  41,254 
5   Virtualization/Sandbox Evasion: Time Based Evasion, T1497.003  39,021 
6   Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, T1547.001  23,937  
7   System Binary Proxy Execution: Rundll32, T1218.011   21,896 
8   Scheduled Task/Job: Scheduled Task, T1053.005   16,718 
9   Masquerading: Match Legitimate Name or Location, T1036.005  15,594 
10   Phishing: Spearphishing Link, T1566.002  15,110 
11   Credentials from Password Stores: Credentials from Web Browsers, T1555.003   14,723 
12   System Services: Service Execution, T1569.002  14,257 
13   Email Collection: Local Email Collection, T1114.001   10,807 
14   Create or Modify System Process: Systemd Service, T1543.002   10,558 
15   Scheduled Task/Job: Systemd Timers, T1053.006  10,558 
16   Impair Defenses: Disable or Modify Tools, T1562.001  6,917 
17   Command and Scripting Interpreter: Unix Shell T1059.004  6,634 
18   Command and Scripting Interpreter: Visual Basic T1059.005  6,602 
19   Software Discovery: Security Software Discovery T1518.001  6,258 
20   Virtualization/Sandbox Evasion: System Checks T1497.001  6,003 

Top TTPs: Q3 2024 vs Q2 2024 

The first three spots were taken accordingly by:

  • T1562.002, Impair Defenses: Disable Windows Event Logging — new entry. 
  • T1059.001: Command and Scripting Interpreter: PowerShell — up from the 7th spot in Q2. 
  • T1059.003, Command and Scripting Interpreter: Windows Command Shell — rose from the 6th spot, nearly doubling in detections. 

The worthy mentions: 

  • T1114.001, Local Email Collection, was pushed down from the top spot in Q2 to the 13th position with 10,807 detections. 
  • T1036.003, Rename System Utilities, dropped from the 3d spot in the previous quarter to 4th, registering 41,254 instances. 
  • T1497.003, Time Based Evasion, despite falling to the 5th spot from 2nd in Q2, saw an increase in detections, bringing the figure to 39,021. 

Report methodology    

For our report, we looked at data from 1,090,457 interactive analysis sessions. This information comes from researchers in our community who contributed by running public analysis sessions in ANY.RUN.  

About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

Integrate ANY.RUN’s services in your organization →

What do you think about this post?

8 answers

  • Awful
  • Average
  • Great

No votes so far! Be the first to rate this post.

0 comments