Four in Five Cyber-Attacks Powered by Just Three Malware Loaders

Cyber Security Threat Summary:
Researchers from ReliaQuest found that cybercriminals relied primarily on seven different malware loaders to carry out attacks in the first half of 2023. QakBot, SocGholish, and Raspberry Robin were the most commonly used loaders, accounting for roughly 80% of all intrusions. GootLoader, ChromeLoader, Guloader, and Ursnif were also commonly seen.

Security Officer Comments:
QakBot was the most prolific strain seen by the researchers accounting for 30% of all intrusions. More concerningly, QakBot has been linked to the BlackBasta ransomware group, who has used it to target organizations in multiple sectors and industries. The malware which was initially a banking trojan, has evolved into a powerful malware loader that can deploy additional payloads and steal sensitive information.

As with most of these strains, phishing emails are often the primary delivery vector. Using tailored lures, such as work orders, urgent requests, invoices, and more, victims are tricked into downloading the malware. While each malware has it’s own post exploitation techniques, QakBot typically relies on WSF, JavaScript, Batch, HTA, or LNK files to establish persistence via scheduled tasks or registry run keys.

SocGholish intrusions fell right behind QakBot with around 27% of total intrusions. This piece of malware is associated with Evil Corp, a financially motivated Russian-based cybercriminal group which has been active since 2007. Since around 2018, the researchers say SocGholish has been used against US organizations in the food services industry, retail trade, and legal services.

SocGholish is a JavaScript based loader that targets Microsoft Windows environments. The malware is often delivered via drive-by compromise websites and is delivered without user interaction. Users are often tricked into downloading the malware via websites promoting fake updates for things like Microsoft Teams or Adobe Flash. Since 2021, SocGholish has also been linked to Exotic Lily, “an initial access broker (IAB) active since at least September 2021. The IAB conducts highly sophisticated phishing campaigns to gain initial access to organizations and sell it to other threat actors” (Info Security Magazine, 2023). In 2023, operators of the malware have been seen conducting aggressive watering hole attacks. They compromise websites of large organizations and infect the websites to carryout widespread malware distribution campaigns.

Raspberry Robin was used in 23% of intrusions and is tied to various groups including Evil Corp and Whisper Spider, a financially motivated threat actors targeting financial institutions in Ukraine, Russia, Azerbaijan, Poland, and Kazakhstan. Raspberry Robin has also been used by ransomware actors to deliver Cl0p, LockBit, TrueBot, and Flawed Grace. In many instances it was used to deploy Cobalt Strike, a common precursor to ransomware activity.

“Raspberry Robin is a highly elusive worm-turned-loader that targets Microsoft Windows environments. Its exceptional propagation capabilities kick in after initial infection via malicious USB devices, when cmd[.]exe runs and executes a LNK file on the infected USB” (Info Security Magazine, 2023). In 2023, Raspberry Robin has been used to target financial institutions, telecommunications, government, and manufacturing organizations, mainly in Europe, although the US has had its fair share of attacks. SocGholish’s operators used Raspberry Robin in the first quarter of 2023 when heavily targeting legal and financial services organizations.

Suggested Correction(s):

  • Do not open emails or download software from untrusted sources
  • Do not click on links or attachments in emails that come from unknown senders
  • Do not supply passwords, personal, or financial information via email to anyone (sensitive information is also used for double extortion)
  • Always verify the email sender's email address, name, and domain
  • Backup important files frequently and store them separately from the main system
  • Protect devices using antivirus, anti-spam and anti-spyware software
  • Report phishing emails to the appropriate security or I.T. staff immediately