The danger of statistics
• Public YARA rules used to hunt for samples were selected from the sets with proven accuracy and a low false positive rate. • C&C selection was based on a confidence threshold with a high score (75 to 100) assigned by the submitters. Unfortunately, even imposing constraints and reducing scope does not entirely remove the risk of duplicates if the same infection was captured using different methods that could potentially result in multiple entries describing the same event from different angles. catalysts for the developer teams behind DarkGate, Danabot, and Pikabot to push their products to the public, the result is the same: it would seem we have traded Qakbot for at least three worthy challengers that have taken the last two quarters of the 2023 by storm. Diversity in the choice of tooling allows multiple threat actors to pick the instruments for the job with more ease.And so, we go excitedly into 2024 armed with the knowledge that the hunt has just begun. Further research into the activity relating to other loaders may further illuminate the dynamics of the current landscape..
As much as we would love our findings to be irrefutable, there is always a risk with using increasingly large datasets collected from third party sources to make trend explanations and predictions. Ultimately, confidence scores assigned to C&C related IOCs or reliability of YARA rules developed by someone else will always decrease reliability of findings – in addition to the fact that investigated targets are criminal tools developed in a notoriously non-transparent setting. In order to keep the results as tightly controlled as possible, we have set the following hard criteria to minimize noise:
Wrap-up
2023 has been a turbulent and exciting year in the loader microcosm. Like avid birdwatchers, threat analysts have keenly observed new families rise and develop, taking their place among the names in our monitoring. For the recipients of the report, unfortunately, this means that new threats have grown and settled into the landscape within an impressive timeline. Despite Qakbot’s dramatic downfall, it would seem there is not one specific competitor that has shown alarming levels of activity to fill the vacuum of its absence. On the contrary, several strong players ended up developing new toolsets and capabilities, providing a steady increase in the loader market. Regardless of the internal drivers that acted as
67
Made with FlippingBook - PDF hosting