The cybersecurity trends are constantly shifting, and 2024 was no exception. Attackers found new ways to target businesses, exploiting vulnerabilities and leveraging some of the most notorious malware families.
ANY.RUN recently published its 2024 Malware Trend Report, revealing the threats that made the biggest impact over the past year.
Let’s take a closer look at the top three malware families that stood out in the report and caused real damage to businesses worldwide.
Most Popular Malware Families in 2024
In 2024, businesses faced relentless attacks from cybercriminals, with malware like Lumma, Agent Tesla, and AsyncRAT leading the charge. These malicious tools were responsible for data breaches, credential theft, and significant financial losses across industries.
Let’s take a closer look at these top threats, how they operate, and how businesses can defend against them.
1. Lumma Stealer
Lumma Stealer is an information-stealing malware designed to harvest sensitive data, including login credentials, browser cookies, cryptocurrency wallets, and payment information. Known for its efficiency, it targets individuals and businesses, often resulting in compromised systems and large-scale data breaches.
In 2024, Lumma Stealer was at the center of several high-profile attacks. One notable campaign involved the use of fake CAPTCHA verification pages that lured users into downloading malicious payloads disguised as legitimate files. Another significant method included embedding Lumma in archives shared via comments on public code repositories like GitHub, further amplifying its reach.
Lumma Stealer has a wide range of distribution methods, making it a convenient and highly effective tool for attackers. It can spread through phishing emails, public code repositories, software cracks, and even drive-by downloads.
Lumma Stealer Sample
One of its most common distribution methods involves file-hosting platforms like MEGA. Employees, unaware of the risks, may download files from these platforms, infecting their systems and potentially compromising entire corporate networks.
For instance, in this ANY.RUN sandbox analysis session, we see inside a virtual machine how a victim downloads a malicious file from the MEGA platform.
Without realizing the danger, this simple action paves the way for Lumma Stealer to infiltrate the system and begin harvesting sensitive data.
| Analyze threats with ANY.RUN’s interactive sandbox to safeguard your business. Start your 14-day free trial today! |
In the mentioned analysis session, the MITRE ATT&CK Matrix framework highlights the techniques and tactics employed for credential access.
These include the extraction of personal data and credentials from web browsers:
2. Agent Tesla
The second most popular malware that impacted businesses in 2024 was Agent Tesla, a well-known remote access Trojan (RAT) and keylogger. This malware specializes in stealing sensitive information such as login credentials, keystrokes, and clipboard data, making it a potent tool for cybercriminals targeting businesses.
Here are some of the major campaigns of 2024 with Agent Tesla:
- Phishing campaigns: Targeted organizations in the U.S. and Australia using emails disguised as purchase orders or delivery notifications.
- Financial sector attacks: Spear-phishing campaigns stole banking credentials and financial data.
- Travel industry exploitation: Fake hotel reservation emails carried Agent Tesla in poisoned PDF files.
Agent Tesla is distributed through phishing emails containing malicious attachments like Word or Excel documents, ZIP files, or PDFs. Attackers often disguise these emails as invoices, purchase orders, or shipping notifications to trick victims into opening the payload. Additionally, it can be delivered through compromised websites, malvertising campaigns, and exploit kits targeting software vulnerabilities.
Agent Tesla Sample
As we’ve mentioned above, one of the most popular ways Agent Tesla is distributed is through phishing emails. These campaigns often target companies by sending emails with malicious attachments.
In this ANY.RUN analysis session, we see a phishing email sent to an employee, requesting them to review an attached file and confirm bank payment details to proceed.
The attachment, disguised as a fake invoice, tricks the victim into opening it.
Once opened, Agent Tesla is executed on the computer, initiating its malicious actions and compromising the system.
3. AsyncRAT
The third most popular malware affecting businesses in 2024 was AsyncRAT, a remote access Trojan (RAT) that provides attackers with extensive control over infected systems.
With features like keylogging, data exfiltration, and remote command execution, AsyncRAT has become a go-to tool for cybercriminals targeting businesses. Its open-source availability and ease of customization make it especially appealing to attackers.
Major campaigns of AsyncRAT in 2024
- Prolonged targeted attacks: Over an 11-month period, a campaign targeted key U.S. infrastructure employees using phishing emails that distributed AsyncRAT. Attackers employed over 300 unique samples and more than 100 domains to evade detection.
- Bitbucket abuse: Cybercriminals leveraged Bitbucket, a legitimate code hosting platform, to host and distribute AsyncRAT payloads. This approach exploited the platform’s legitimacy to bypass security measures and deliver malware to victims.
AsyncRAT targeted businesses through phishing emails containing malicious attachments, such as Word documents, ZIP files, or PDFs. Attackers also used legitimate platforms like Bitbucket to host and distribute AsyncRAT payloads. Besides, malvertising campaigns redirected users to compromised websites, where the malware was downloaded silently.
AsyncRAT sample
In the analysis session, attackers distribute AsyncRAT through a malicious file. Once the victim downloads and opens the file, the AsyncRAT malware is executed, initiating its attack on the computer.
This allows attackers to gain remote access, steal data, and execute commands on the infected system.
Strengthen Your Business with Real-Time Threat Analysis
Cyber threats like Lumma, Agent Tesla, and AsyncRAT exploit common vulnerabilities, often slipping past traditional defenses. Businesses face delays in detection, which can lead to data breaches, financial loss, and compromised networks.
ANY.RUN’s interactive sandbox helps businesses address these challenges by offering real-time malware analysis. This proactive tool allows you to observe threats as they happen, understand their behavior, and act quickly to neutralize them, before it’s too late.
Sign up for a 14-day free trial and discover how ANY.RUN equips your team to outpace emerging threats with real-time insights and proactive defense tools.
