Researchers have uncovered a load of loaders causing havoc for defenders.The top 3 malware loaders are QBot, SocGholish, and Raspberry robin. This group accounted for 80% of incidents observed.
Malware loaders are tricky businesses for SOC teams. Mitigation for one loader may not work for another, even if it loads the same malware. And they’re one of the most common tools for a cyber-threat actor to secure initial access to a network, then help drop payloads.
QakBot was designed as a banking trojan, then upgraded with new capabilities. Other than permitting initial access to targeted networks, QakBot delivers other remote-access payloads, steals sensitive data, and helps lateral movement and remote code execution.
QakBot is most associated with the “Black Basta” ransomware group that splintered off from the “Conti” ransomware syndicate. It gets delivered through a phishing campaigns.
SocGholish is a JavaScript-based loader that targets Microsoft Windows-based environments. The malware is delivered via drive-by compromise. Visitors to a wide network of compromised websites are tricked into downloading “updates,” typically through outdated-browser prompts or other update lures for Microsoft Teams and Adobe Flash.
SocGholish has been linked to the notorious “Evil Corp,” presumed to be a Russia-based group waging financially motivated cybercrime since at least 2007. Common SocGholish targets are accommodation and food services, retail trade, and legal services, primarily in the US.
SocGholish is also linked to “Exotic Lily,” an initial access broker (IAB) active since at least September 2021. The IAB conducts highly sophisticated phishing campaigns to gain initial access to organizations and sell it to other threat actors, such as ransomware groups.
Raspberry Robin, worm-turned-loader that targets Microsoft Windows environments. Its exceptional propagation capabilities kick in after initial infection via malicious USB devices, when cmd.exe runs and executes an LNK file on the infected USB.
Raspberry Robin is tied to various highly capable, malicious groups. This includes the aforementioned Evil Corp, plus “Silence” (aka Whisper Spider): a financially motivated threat actor targeting financial institutions in Ukraine, Russia, Azerbaijan, Poland, and Kazakhstan.
Raspberry Robin has also been used to deliver multiple ransomware and other malware variants, such as “Clop,” “LockBit,” “TrueBot,” and “Flawed Grace,” in addition to the Cobalt Strike tool.
SocGholish’s operators used Raspberry Robin in the first quarter of 2023 when heavily targeting legal and financial services organizations. This shows the increased collaboration between crime syndicates and operators of various types of malware.
Safety Checks
- Configure a GPO to change the default execution engine of JS files from Wscript to Notepad, and any additional script files you see fit. This will prevent these files from being executed on the host.
- Block inbound emails that have file extensions typically used for malware delivery.
- Restrict company assets from making arbitrary connections to the internet, via firewall or proxy configurations, to minimize malware and C2 activity.
- Limit the use of remote-access software unless absolutely required for an individual’s job; alternatively, enhance monitoring to detect misuse.
- Disable ISO mounting, which is increasingly a solid way to bypass antivirus or endpoint detection tools.
- Implement USB access control and GPOs to prevent autorun command executions.
- Social Engineering Awareness Program to users
This was documented by researchers from RELIAQUEST
