An Objective Look at the Evolution of Cybercriminals’ TTP

By PRODAFT Team on October 23, 2023
An Objective Look at the Evolution of Cybercriminals’ TTP


Cybercriminals now use advanced and strategic TTPs (tactics, techniques, and procedures) to infect and launch cyberattacks on individuals and organizations. In the last two decades, malware has come a long way. In fact, it is an industry where cybercriminals use malware to steal data from systems and browsers so that they can sell it to the highest bidder for profit.


Cybersecurity experts and industry leaders have been monitoring cybercriminal activities and their evolution for years. Cybersecurity waits for no one, and there have been a lot of changes in a few years that have rapid growth of business models.

Of course, companies employ a dedicated IT team and cybersecurity experts to deal with ransomware and malware issues. On the flip side, cybercriminals now have access to several cutting-edge methods. It’s 2023, and cybercriminals can launch many cyberattacks with low risk. Now, from the perspective of cybercriminals, it all starts with data.

The most valuable data is usually credit card details, cryptocurrency wallets, and banking or login information, among others. It also involves panels, networks, and personal smart devices like PCs and laptops. Usually, it just takes malware to infect, extract, steal, exploit, and sell a victim’s data.

Once cybercriminals get access to victim data – it becomes an asset for them, and then they use multiple cash-out methods to convert it into a fiat currency like US dollars. How much cybercriminals can profit depends on what support they steal. Typically, cybercriminals sell data assets to forums and other cybercriminals who exploit them.

Timeline of a Malware Industry

Cybercriminals keep a close eye on general observations that show a rough estimation of trends. From the early 2000s to 2023 – “how” cybercriminals use different tactics to push malware has changed dramatically.

Today, infecting victims with malware to collect data and sell it has become a straightforward process. Years ago, it used to take a lot of time and effort for cybercriminals to exploit data. It’s 2023, and now cybercriminals take little to no risk to exploit user’s data.

Stealer Log

It contains data like the victim’s saved credentials – cookies from the browser–specific elements about your device – files from the desktop and even webcam pictures. It is autonomous, and it collects data and creates an archive. In the case of BALDR Stealer malware, ongoing campaigns allow cybercriminals to manage victim data and review statistics and analytical information.

Today, cybercriminals don’t even need to write malware from scratch – they can buy it from a forum without having a technical background. All it takes is setting up an infrastructure, command and control(C2) server, and infecting victims’ servers.

Once cybercriminals have these elements – they can collect people’s data and have contacts to sell that data. However, this process carries a high risk. And that’s because it takes investment to set up a dedicated infrastructure and experience to launch an infection campaign.  On the other hand, if the cybercriminal writes malware code, he doesn’t have to take these steps and sell it to one of the forums with a low risk.

Raccoon Stealer

This is arguably the biggest Malware-as-a-Service platform. It is a lease of hardware and software to execute cyberattacks. MaaS server owners offer botnet-paid access to distribute malware. Mostly, these cybercriminals get personal account services that allow them to control cyberattacks, manage victim data, and get technical support.

What’s startling is that cybercriminals using Raccoon Stealer can even gift one of their victims to another platform user. In this case, cybercriminals don’t need to write code or set up infrastructure. In fact, all cybercriminals need is to buy an account, generate malware, roll out an infection campaign, and gather victim data to use/sell for profit.

LockBit RaaS

This is another group that is currently still active. Lockbit allows cybercriminals to generate dedicated ransomware builds from the platform. Cybercriminals do this for each of the victim’s devices, and it encrypts all of their files and leaves a ransom note.

This note contains a brief explanation of instructions the victim needs to follow, like how to get in touch with the attacker. Mostly, victims come to the recovery service, and then the negotiation starts within the Lockbit panel. Another similar model is CONTI RaaS, which involves the same process and requirements as Lockbit.

Credential Markets

2easy, RussianMarket, and Genesis are common marketplaces for cybercriminals to purchase victim data. Genesis marketplace works like any other eCommerce site where cybercriminals create an account and look for specific credentials. It also features a dashboard that allows data stealers to review parameters and find specific credentials. So, if a cybercriminal wants the Netflix credentials of someone living in New York City, he can find the information through filters.

Device Identification

Most cybercriminals now know that requirements for direct access to information involve browser fingerprints, cookies, credentials, and IP location. In fact, these are the elements Google reviews when you log in to your Gmail account and determine whether or not you’re signing in from the same device.

Anonymity Browsers

With anonymous browsers, cybercriminals can get browser configuration files to circumvent the standard verification processes and steal user data. In layman’s terms, cybercriminals use browser configuration to mimic the victim’s configuration.

Genesis browser allows cybercriminals to import their bots from the market to their own browsers. Consequently, it becomes difficult to make a clear distinction between the attacker and the victim.

Average Break Time and Increase in Intrusions

The truth is that cybercriminals have become better at exploiting data and intrusions. In fact, an extensive report highlights that the cybercriminals’ average break time is around 79 minutes, which keeps getting shorter, and highlights that cyber masterminds are getting faster.

Intrusions have become easier for cybercriminals because of RMM tools. In fact, there’s been over 300% increase in remote management and monitoring tools. RMM tools are open-source and free solutions that cybercriminals use to avoid any detection and get away efficiently from the targeted environment.

Final Thoughts: What Should Be Companies’ Approach

From the perspective of companies, it is better to reach out to threat intelligence providers to prevent and resolve malware, spyware, and ransomware issues. Ideally, large corporations should get a robust threat intelligence solution, either based on a manual consultation or through the means of a threat intelligence platform. Still, companies should understand that the current adversarial landscape and all its pitfalls call for timely detection mechanisms to deal with internal cybersecurity issues.




Get latest articles directly in your inbox, stay up to date