Three malware loaders, QakBot, SocGholish and Raspberry Robin, wreak havoc in 80 percent of incidents, according to threat researchers at IT security firm ReliaQuest.
Malware loaders are used as vehicles to deliver and execute other forms of malware, such as ransomware, viruses, trojans, or worms. They are one of the most common tools attackers use to deliver payloads during the initial stages of a cyber attack.
ReliaQuest researchers looked at the most common variants in consumer environments and found that just three malware loaders were responsible for the majority of incidents since the beginning of the year.
Malware loaders are tricky for cybersecurity teams because even if the same malware is loaded, mitigations for one loader may not work for another.
Just because a malware loader was detected, it does not mean that the target network was compromised; in most of the cases observed, the malware loader was detected and stopped early in the kill chain. But it is crucial not to ignore any loader threat, especially the three most popular ones.
But what do we know about the main culprits, QakBot (QBot, QuackBot, Pinkslipbot), SocGholish, and Raspberry Robin?
Based on recent trends, it is likely that these loaders will continue to pose a threat to organizations.
QakBot is changing fast
QakBot, associated with the Black Basta ransomware group, was designed as a banking Trojan and then upgraded with new features to become a generic and common malware.
QakBot is used to allow initial access to a target's network, and also provides remote access to payloads, steals sensitive data, and facilitates lateral movement and remote code execution.
Typically, QakBot is delivered via phishing emails that provide recipients with customized lures such as work orders, urgent requests, invoices, file attachments, or hyperlinks. The payload is downloaded as a PDF, HTML or OneNote file.
QakBot then uses WSF, JavaScript, Batch, HTA or LNK files which, when executed, typically establish persistence via a scheduled task or registry run key.
QakBot operators are resourceful and able to respond quickly or change their delivery strategies. This malware is an ever-evolving and persistent threat designed to opportunistically target any industry or region.
SocGholish, one user can affect the whole system
SocGholish, also known as FakeUpdates, masquerades as legitimate software updates. This JavaScript malware loader targets Microsoft Windows-based environments and is delivered via a drive-by attack (downloaded without user interaction).
Visitors to the extensive network of infected websites are tricked into downloading 'updates', often lured by outdated browser prompts or other updates for Microsoft Teams and Adobe Flash.
SocGholish is linked to Evil Corp, a Russia-based financially motivated cybercriminal organization. Typical targets are accommodation and food services, retail trade and legal services, primarily in the United States.
SocGholish is also associated with Exotic Lily, an initial access agent that conducts highly sophisticated phishing campaigns to gain initial access and sell it to ransomware groups or other threat actors.
SocGholish operators use convincing social engineering tactics, and awareness is critical to minimizing this threat.
Its vast malware distribution network operates on infected websites and social engineering; as little as four user clicks can affect an entire computer system domain or network within days.
Raspberry Robin an all-rounder
Associated with various powerful malicious groups, including Evil Corp and Silence (Whisper Spider), Raspberry Robin is a highly elusive worm loader that targets Microsoft Windows environments.
After the initial infection via a malicious USB device, cmd.exe's superior propagation capabilities come into play when it runs on an infected USB and executes a LNK file.
The LNK file contains commands that trigger a native Windows process, such as msiexec.exe, to initiate an outbound connection to download the Raspberry Robin DLL.
In addition to the Cobalt Strike tool, Raspberry Robin has been used to spread several ransomware and other malware variants, such as "Cl0p," "LockBit," "TrueBot," and "Flawed Grace."
In 2023, Raspberry Robin operators are targeting financial institutions, telecommunications, government and manufacturing organizations.
The Raspberry Robin is a very useful addition to a threat actor's arsenal, helping to establish an initial network foothold and delivering multiple forms of payload.
How to defend against malware loaders?
There are several steps that can help minimize the threat of malware loaders. Here are ReliaQuest's recommendations:
Configure a GPO (Group Policy Object) to change the default execution engine for JS files from Wscript to Notepad, and any other script files you see fit. This will prevent these files from executing on the host.
Blocks inbound email with file extensions commonly used for malware delivery.
Limit arbitrary connections from corporate assets to the Internet through firewall or proxy configurations to minimize malware and C2 activity.
Limit the use of remote access software unless absolutely necessary for personal work; or, increase monitoring to detect abuse. Cybercriminals, especially IABs and ransomware operators, love to use this software to gain and maintain access to networks.
Disable ISO mounts, an increasingly reliable way to bypass antivirus or endpoint detection tools.
Implement USB access control and GPOs to prevent autorun command execution. If business conditions permit, consider disabling any removable media access.
Train employees to recognize social engineering tactics used on the web and open appropriate channels for them to report suspicious emails or other activity.