Understanding the Malicious Infrastructure of Threat Actors in

Recorded Future’s 2020 Malicious Infrastructure report provides critical insights into the evolving tactics of threat actors. Below is a breakdown of key findings and actionable intelligence for defenders and CTI professionals.

Key Findings from the Report

• MaaS Infostealers led infections in 2024, with LummaC2 dominating C2 servers.
• AsyncRAT and Quasar RAT remained the top remote access tools.
• Android was the primary target for mobile malware.
• Cobalt Strike accounted for two-thirds of offensive security tool C2 infrastructure.
• Mozi Botnet was the largest tracked botnet in 2024.
• Latrodectus dominated droppers and loaders.
• The US and China led in malicious hosting, while bulletproof providers like Stark Industries grew in prominence.
• Chinese state-sponsored groups expanded their use of anonymization networks (e.g., Tor, I2P).
• Russian state-sponsored groups increasingly abused Ngrok, Cloudflare, and Telegram for evasion.

You Should Know: Practical Defensive Measures

1. Detecting & Blocking Infostealers (LummaC2, AsyncRAT, QuasarRAT)

• YARA Rules for Detection:

  rule LummaC2_Infostealer {
  meta:
  description = "Detects LummaC2 C2 communication"
  strings:
  $c2_url = "lummac2[.]xyz" nocase
  $api_call = "/gate.php" nocase
  condition:
  any of them
  }
  

• Network Monitoring (Suricata/Snort):

  alert tcp any any -> any any (msg:"AsyncRAT C2 Beacon"; content:"|0A|check|00|"; sid:1000001; rev:1;)
  

2. Mitigating Cobalt Strike & Botnets (Mozi)

• Block Known C2 IPs:

  iptables -A INPUT -s 45.155.205.0/24 -j DROP
  

• Honeypot Traps:

  Use Cowrie for SSH honeypot 
  docker run -p 2222:2222 cowrie/cowrie 
  

3. Countering Bulletproof Hosting & Anonymization

• Block Bulletproof ASNs:

  ipset create bulletproof_ASNs hash:net 
  ipset add bulletproof_ASNs 123.456.0.0/16 
  iptables -A INPUT -m set --match-set bulletproof_ASNs src -j DROP 
  

• Detect Ngrok/Cloudflare Abuse:

  tshark -r traffic.pcap -Y "http.host contains ngrok.io || http.host contains cloudflare.com" 
  

4. Analyzing Mobile Malware (Android Focus)

• APK Static Analysis:

  apktool d malware.apk 
  grep -r "http://" malware/ 
  

5. Russian & Chinese APT Evasion Tactics

• Tor Exit Node Blocking:

  curl -s https://check.torproject.org/exit-addresses | grep -Eo "[0-9]+.[0-9]+.[0-9]+.[0-9]+" | xargs -I {} sudo iptables -A INPUT -s {} -j DROP 
  

What Undercode Say

The 2024 threat landscape underscores the need for proactive defense strategies:
– Network segmentation to limit lateral movement.
– Threat intelligence integration (e.g., MISP, AlienVault).
– Behavioral detection (e.g., Sigma rules, EDR).
– Regular IoC updates (e.g., OTX Pulse, Recorded Future).

Expected Output:

[+] Blocked 5 Cobalt Strike C2 IPs via iptables. 
[+] Detected AsyncRAT beacon in pcap analysis. 
[+] Identified 3 malicious APKs targeting Android. 

Relevant URLs:

• Recorded Future Report
• MITRE ATT&CK: C2 Frameworks
• YARA Rules Repository

References:

Reported By: Mthomasson Recorded – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram