Malware Trend

Statistical Report on Malware Threat in Q4 2024

Jan 08 2025

Overview

AhnLab uses the automatic analysis system RAPIT to categorize and respond to malware collected through a variety of routes. This report categorizes and shares statistics on known malware among the ones collected during Q4 2024.

The malware strains included in the statistics are in the executable format and are those that were reported through client companies or collected after being detected performing malicious acts in an environment where AhnLab products were installed during the aforementioned time period. Ordinarily, malware is distributed through spam emails, web browsers, or attack processes against vulnerable environments. Accordingly, malware is detected and collected in the following circumstances: when they are attached to spam emails, when users download and run inappropriate files from web browsers, or when vulnerable environments become targets of external attacks.

Such malware types are categorized based on known malware. Here, “known malware” refers to the types that are sold by the developers of malware or those that are made through cracked versions of builders, and most of these are still being distributed even to this day. There are also types that threat actors develop themselves and distribute, and most banking malware strains fall into this category.

The report categorizes malware by type and provides detailed statistics on each. In addition, it examines the distribution method and notable features.

Statistics

1. Malware Statistics in Q4 2024
The following categorization of known malware collected during the fourth quarter of 2024. In terms of major categorization, the most prevalent types of malware, in order, are Infostealer, Downloader, Backdoor, and Ransomware.

Figure 1. Statistics on malware by category

Main Category	Percentage
Infostealer	54.1%
Downloader	27.2%
Backdoor	18.6%
Ransomware	0.1%

Table 1. Statistics on malware by category

Infostealers are a type of information-stealing malware with the purpose of stealing user credentials such as the user account credentials, cryptocurrency wallet address, and files that are saved in programs such as web browsers and email clients.

Downloaders are a form of malware whose purpose is not in its own features but ultimately in downloading additional malware.

Backdoors, which include remote administration tools (RATs), can receive commands from the threat actor to install additional malware, collect information through keylogging and taking screenshots, and also execute malicious commands.

Ransomware is a type of malware that is used to gain financial benefits by encrypting files in the user environment.

The following section provides detailed information on the specific malware used for each type of malware.

2. Malware Details by Type in Q4 2024
The following is detailed information on sub-categories of malware collected in Q4 2024.

2.1. Infostealer
Certain types of Infostealers such as AgentTesla and Formbook have been consistently distributed for several years and account for most of this category. AgentTesla[1] [2] [3] [4] is usually distributed through attachments in spam emails assuming various disguises. It steals account information stored in web browsers, emails, and FTP clients within the user environment.

SnakeKeylogger[5], Formbook[6] [7], and Lokibot[8] [9] are also major Infostealers distributed through attachments in spam emails. Among these, SnakeKeylogger has been observed since around 2021 and consistently occupied a high proportion. SnakeKeylogger exhibits similarities to AgentTesla in its use of SMTP for information theft, and it also supports various other methods such as HTTP and FTP. Lokibot has the capability to steal account credentials from various programs installed on infected PCs including web browsers, email clients, and FTP clients. It is known for being distributed in various forms, including those based on Microsoft Visual Basic and Nullsoft Scriptable Install System (NSIS).

HawkEye is spread through executable files attached to spam emails and exfiltrates system information, web browser/email account credentials, cryptocurrency wallets, and Minecraft account information. As it has been distributed for a long time, it may not work in the latest environments; but the keylogging, clipboard logging, and screenshot capture functions are likely to work properly.

Pony is an Infostealer-type malware that was distributed alongside the Reveton malware, designed to steal users’ password information.

MassLogger is a .NET-based malware primarily distributed through phishing emails, and it steals information such as email and browser credentials. Similarly distributed through spam emails, Azorult[10] steals internal information such as browser, email, and coin wallets through additional DLLs.

CryptBot[11] is a type of malware that is mainly distributed by disguising itself as cracked programs or tools and is known for its active variations. To evade detection, it has logic to bypass anti-malware or VM environments. It can steal credentials, take screenshots, and exfiltrate browser data. The stolen data is uploaded to the C&C as ZIP files.

[1] Infostealer Being Distributed via Spam Email (AgentTesla)

[2] AgentTesla Being Distributed via More Sophisticated Malicious PowerPoint Files

[3] AgentTesla Distributed Through Windows Help File (*.chm)

[4] AgentTesla Being Distributed via VBS

[5] Snake Keylogger Being Distributed via Spam E-mails

[6] FormBook Being Distributed via Even More Sophisticated Phishing Emails (This report supports Korean only for now)

[7] FormBook Malware Being Distributed as .NET

[8] Lokibot is at it Again, This Time Spreading via Purchase Order

[9] Lokibot Malware Disguised as National Tax Service Email Being Distributed

[10] Infostealer Malware Azorult Being Distributed Through Spam Mails

[11] Modified CryptBot Infostealer Being Distributed