Review of the malware landscape in 2022

Geopolitical tensions and the biggest war in Europe in decades have defined the malware landscape in 2022.

Recorded Future has been capturing global threat information from internet, dark web and technical sources for over a decade. The company combines this vast amount of data with artificial intelligence and human expertise to quickly detect threats and provide actionable insights to security professionals.

Toby Wilmington, Manager – Sales Engineering at Recorded Future, provided his analysis of the malware landscape in the first half of 2022 during a session at this year’s Cyber ​​Security & Cloud Expo Europe.

“We’re starting to see the world become a reflection of the internet,” says Wilmington. “So influence operations, things that happen online, start to have a geopolitical or kinetic impact – bombs are dropped, for example.”

Recorded Future gets its data from reports from security vendors, communication platforms like Telegram and Discord, social media, etc.

With its dark web gathering capabilities, the company is able to see what threat actors are talking about to help the good guys stay ahead of the game. This information could include malware sold, ransoms demanded, and penetration testing tools used.

Additionally, Recorded Future brings network traffic analytics data to see who is affected by cyberattacks, what technologies are targeted, what infrastructure is used, and who it can be attributed to.

All of this data is collated in real time to provide a much more complete picture of the malware landscape than has traditionally been possible. As a result, cybersecurity can become much more proactive than reactive.

Wiper variants

Following Russia’s invasion of Ukraine, nine distinct variants of the Wiper malware began circulating, designed to disrupt operations in the defending country.

According to Wilmington, the malware variants became increasingly simplistic over time, which “seemed to show that the hostile government had less time and fewer resources to develop malware against key geopolitical targets.” .

Wilmington presents a timeline of Wiper variants used around conflicts:

“We see nation states wanting to isolate specific countries and shut down operations,” Wilmington adds.


Ransomware also continues to plague global security teams.

Conti is one of the most infamous forms of ransomware due to how quickly it encrypts data and spreads to other systems. In May 2021, the Conti ransomware attack on the Irish Health Service resulted in weeks of disruption with a projected cost of $100 million.

When Russia invaded Ukraine, the Conti Group announced its support for Russia. However, around 60,000 internal chat log messages were leaked by an anonymous person who indicated support for Ukraine, along with source code and other files used by the group.

In April this year, Conti ransomware was used against the government of Costa Rica in a five-day intrusion. On May 8, Costa Rica was forced to declare a national emergency as the intrusion had spread to several government agencies.

Wilmington claims the Conti attack on Costa Rica was activated “as part of a disbandment that allowed individual members to support other ransomware gangs.”

Although Conti is making headlines, Wilmington says the most prolific operators are those behind the Lockbit 3.0 and Hive ransomware families.

Recorded Future has identified that ransomware group FIN7 created a fake cybersecurity firm called Bastion Secure to recruit IT specialists and deploy PoS exploit tools. Although the group is also considered Russian, Wilmington notes that such a tactic is often employed by North Korea.

Information thieves

Infostealers are a common type of malware that Recorded Future has seen a “real rise” in the past few years. This stolen information is then resold on the dark web.

Wilmington points out that information thieves take a fingerprint of your browser, then anything done in that window will be taken, and people can then buy it online.

“I can say, ‘If I buy this credential for $20, what does it give me access to? And does it also come with a session cookie so I can really jump around? says Wilmington.

According to Wilmington, Raccoon Stealer was one of the most popular information thieves this year. However, he “went on hiatus” in March 2022.

Threat actors then moved from Raccoon to Mars Stealer, MetaStealer, BlackGuard, RedLine, and Vidar. At the end of the first half of 2022, Raccoon Stealer 2.0 appeared and gained popularity again.

Wilmington goes on to show a chart of the top-ranked malware used in cyberattacks during the first half of 2022. Cobalt Strike takes the clear lead:


When it comes to vulnerabilities, unsurprisingly, Log4Shell – which is likely still causing many sleepless nights – was by far the most referenced vulnerability in the first half of 2022:

The Microsoft Follina vulnerability took second place, followed by ProxyShell to round out the top three vulnerabilities referenced. It should be noted that ProxyShell has been used by Conti affiliates to hack into Microsoft Exchange servers and compromise corporate networks.

Recorded Future applies risk scores to vulnerabilities based on their active exploitation in the wild, either based on open source reports or the company’s internal honeypot.

Wilmington notes that Windows is normally the most affected vendor but, in the first half of 2022, the list was largely dominated by vulnerabilities affecting Linux:

“Generally, we see Microsoft at the very top in terms of vulnerabilities,” says Wilmington. “It’s quite interesting that Linux was the main focus at the start of this year.”

Recorded Future typically sees around 2-4 weeks from discovering a vulnerability to weaponizing it. Using early intelligence like that provided by Recorded Future can give the industry a sizable window to counter emerging threats. before they cause damage.

Toby Wilmington was speaking at this year’s Cyber ​​Security & Cloud Expo Europe. You can find more information about the World Series here.

Want to learn more about cybersecurity and the cloud from industry leaders? Discover Cyber ​​Security & Cloud Expo taking place in Amsterdam, California and London.

Check out other upcoming TechForge enterprise technology events and webinars here.

Key words: cobalt strike, conti, cybersecurity, cybersecurity and cloud expo, cybersecurity, fin7, follina, infosec, infostealer, log4shell, malware, proxyshell, raccoon thief, future saved, toby wilmington, vulnerabilities, wiper

Comments are closed.