Three malware loaders, QBot, SocGholish, and Raspberry Robin, are responsible for 80% of the observed computer and network attacks so far this year.
Security shop ReliaQuest said Friday that the most malicious thing to be detected and blocked by IT defenses was QBot (also known as QakBot, QuackBot and Pink Slipbot), the most frequently observed loader from January 1 to July 31. ), causing 30% of intrusions. Attempt recorded. SocGholish was second with 27% and Raspberry Robin with 23%. His seven other loaders in the lineup are well behind the three leaders. Gootloader at 3%, Guloader, Chromeloader and Ursnif at 2%.
As the name suggests, the loader is an intermediate stage of malware infection. A loader is executed on a victim’s computer, for example, by a bad actor exploiting some vulnerability or sending a read mark to an email containing a malicious attachment. While running, the loader typically gains a foothold in the system, takes steps to maintain persistence, and retrieves the main malware payload (which could be ransomware, backdoor, etc.) to execute. .
This gives post-breach workers some flexibility and also helps hide the final nasty software deployed on the machine. Identifying and stopping loaders can potentially stop serious malware infections in your organization.
However, these loaders are a headache for security teams. It pointed out“Mitigations for one loader may not work for another, even when loading the same malware.”
QBot, described by ReliaQuest as an “agile Trojan,” is a 16-year-old banking Trojan that delivers ransomware, steals sensitive data, and spreads laterally within an organization’s environment, according to analysis. has evolved to allow for the movement of and deploy remote code. running software.
In June, Lumen’s Black Lotus Labs threat intelligence group discovered a loader that uses a new malware distribution method and command-and-control infrastructure. A quarter of what he used was active for only one day. Security researchers say the evolution likely corresponds to Microsoft’s move by default to block macros obtained from the Internet for Office users last year.
“QakBot’s agility is also evident in the operator’s response to Microsoft’s Mark of the Web (MOTW), where they changed their delivery tactics and opted to take advantage of HTML smuggling,” said ReliaQuest. “In other instances, QakBot operators experimented with payload file types to evade mitigations.”
This includes using Malicious OneNote files Included in phishing emails, as in the February 2023 campaign targeting US organizations.
don’t trust that download
The second loader, SocGholish, is a chunk of JavaScript-based code targeting Windows. It has been linked to the Russian Evil Corp, which infiltrates corporate networks and sells access to other criminals, and initial access broker Exotic Lily.
SocGholish is typically deployed through drive-by compromises and social engineering campaigns, masquerading as fake updates that, once downloaded, drop malicious code onto the victim’s device. At one point, Exotic Lily was sending more than 5,000 emails per day to nearly 650 targeted organizations worldwide, according to Google’s Threat Analysis Group.
Last fall, a criminal group tracked as TA569 compromised more than 250 US newspaper websites and used their access to publish SocGholish malware via ads and videos with malicious JavaScript. Delivered to readers of things.
Most recently, in early 2023, ReliaQuest tracked a SocGholish operator conducting an “aggressive watering hole attack.”
“They compromised and infected the websites of large organizations engaged in general business operations that could be profitable,” threat researchers said. “Unsuspecting visitors inevitably downloaded the SocGholish payload, causing widespread infection.”
If you wake up early (Windows) you will be infected with a worm
Rounding out the top three is Raspberry Robin. It also targets Windows systems and evolved from a worm that spreads via USB drives.
These infected USBs contain a malicious .lnk file that, when executed, communicates with a command and control server, establishes persistence, and launches additional malware (ransomware) on the infected device. wear) is executed.
Raspberry Robin has also been used to deliver both Clop and LockBit ransomware, as well as TrueBot data-stealing malware, Flawed Grace remote access Trojan, and Cobalt Strike to gain access to the victim’s environment.
It is associated with Evil Corp and another Russian criminal organization, the Whisper Spider. And in the first half of 2023, it was used to attack financial institutions, telecoms, governments, and manufacturing organizations, primarily in Europe, but also in the United States.
“Based on recent trends, these loaders are very likely to continue to pose a threat to organizations in the medium-term future (3-6 months) and beyond,” the researchers wrote.
“For the remainder of 2023, we anticipate other developments of these loaders, either in response to coordinated mitigations or through collaboration among threat actors.” ®