Following the law enforcement offensive on Qbot in August 2023, there were reports of significant evolutions in the threat landscape concerning information stealers and trojans.
Qbot has historically served as an access broker for ransomware infections. A recent TrendMicro report suggests that PikaBot has increasingly replaced Qbot in the infection chain related to ransomware events, particularly Black Basta, which interestingly resumed operations in September 2023. In late 2023, separate reports also included DarkGate in the list of potential successors to Qbot. This trend has been observed despite the fact that new Qbot samples observed in the wild indicate a resurgence of Qbot after a setback caused by the August 2023 multinational law enforcement operation.
Recent developments include:
A novel malware with the capability to target web servers, cloud services, content management systems, and SaaS platforms. On 11 January 2024, SentinelOne published an analysis related to a piece of malware dubbed "FBot," which has been specifically designed with a low footprint—potentially a result of private development, as argued in the SentinelOne paper. The hacktool is likely to be effective in targeted attacks against platforms such as AWS, Office365, PayPal, Sendgrid, and Twilio. There are two main use cases for such a hacktool, including hijacking cloud web services and harvesting credentials for reselling to cybercriminals or other threat actors.
The AMOS (a.k.a. Atomic Stealer), designed to target macOS, has recently undergone new developments, as documented in a recent MalwareBytes report. AMOS is maintained by a group of Russian-speaking hackers who, on 24 December 2023, announced via their Telegram channel a new Google token restore feature, which they called "anti-unlogin Google."
LummaC2, which implemented new evasion TTPs in November 2023, has been observed in attacks distributed via YouTube channels according to a Fortinet report. Unknown actors breached YouTube channels and used to them to upload video content featuring resources consistent with trojanized software delivering a LummaC2 variant.