3 Malware Loaders are Responsible for 80% of Attacks, ReliaQuest Says – Source: securityboulevard.com

About 80% of the cybersecurity incidents tracked by ReliaQuest during the first seven months of the year involved only three malware loaders.

According to the managed security provider, the QakBot loader – also known as QBot, QuackBot, and Pinkslipbot – accounted for 30% of the attacks, followed by SecGholish (at 27%) and Raspberry Robin (23%).

ReliaQuest’s Threat Intelligence Team wrote in a report that simply detecting a malware loader doesn’t mean it was able to compromise the targeted network.

“In the majority of cases we observed, the malware loader was detected and stopped early in the kill chain,” the unit wrote. “But it’s crucial to not look away from the car-crash threat of any loader, especially the three most popular.”

Trailing the top three are four other malware loaders – Gootloader, Chromeloader, Guloader, and Ursnif – detected by ReliaQuest between January 1 and July 31.

Threat groups use malware loaders to gain initial access into victims’ systems and networks, establish persistence, support other intrusion efforts, and drop next-stage malicious packages.

“They’re one of the most common tools for a cyber-threat actor to secure initial access to a network, then help drop payloads (remote-access software and post-exploitation tools are popular choices),” wrote ReliaQuest, which offers organizations its GreyMatter security operations platform.

Mike Aalto, co-founder and CEO of security firm Hoxhunt, said it isn’t surprising that bad actors are gravitating to a few malware loaders.

“Most email attacks are the product of phishing and malware kits purchased for peanuts off the dark web, so black hat tools with a proven track record and a cheap price tag will continue to dominate,” Aalto told Security Boulevard. “Recent advances in black hat generative AI, like FraudGPT, are still more pricey, more complicated, and more resource-intensive to use, so tools like malware loaders remain attractive for the scattershot mass-email-attack approach.”

However, he added that he’s surprised that Emotet, which he called “the undead king of malware,” didn’t make ReliaQuest’s list.

“We’ve seen that one get dismantled and reappear frequently over the past two years, and it’s been very effective and widely reported in breaches,” Aalto said.

Meet QakBot and SocGholish

QakBot, which started off as a banking trojan in 2007, is mostly associated with the Black Basta, paving the way for the ransomware group to deliver its malware into systems compromised via phishing attacks. ReliaQuest in March detailed an attack by an affiliate of Black Basta – an offshoot of the notorious Conti group that also runs a ransomware-as-a-service (RaaS) operation – on an organization that began with QakBot being downloaded for initial access through a phishing email.

QakBot was able to go from initial access to lateral movement through the victim’s network in 77 minutes, moving quickly.

“QakBot is an evolving, persistent threat used to opportunistically target any industry or region,” the threat intelligence team wrote. “Their operators are capable and resourceful in adapting to change, and they’re likely to be here for the foreseeable future.”

ReliaQuest described SocGholish – also known as FakeUpdates – as a loader linked to the Evil Corp written in JavaScript that targets systems running Windows and is delivered through drive-by compromise, which means it’s downloaded without any user interaction.

“Visitors to a wide network of compromised websites are tricked into downloading ‘updates,’ typically through outdated-browser prompts or other update lures for Microsoft Teams and Adobe Flash,” the company wrote.

It’s linked to Evil Corp, a long-running Russia-based cybercrime syndicate that has thrived despite efforts over several years by the U.S. government to shut it down through sanctions and bounties on its organizers.

SocGholish, which hit the scene in 2018, also has been linked to Exotic Lily, an initial access broker (IAB) that runs phishing campaigns to get initial access into victims’ systems and then sells the access to ransomware and other threat groups. The malware loader targets companies in the accommodation and food services, retail, and legal services sectors in the United States.

“In the first half of 2023, SocGholish’s operators conducted aggressive watering hole attacks,” the ReliaQuest team wrote. “They compromised and infected websites of large organizations engaged in common business operations with lucrative potential. Unsuspecting visitors inevitably downloaded the SocGholish payload, leading to widespread infections.”

Then Comes Raspberry Robin

Raspberry Robin, a onetime worm-turned-loader, also targets Windows environments that gets its infecting done through malicious USB devices. The threat researchers called Raspberry Robin “highly elusive” with “exceptional propagation capabilities.”

It’s tied to a range of bad actors, including Evil Corp and Whisper Spider – also called Silence – which targets financial institutions in Eastern Europe, including Russai, Ukraine, Poland, Azerbaijan, and Kazakhstan. It’s also delivered ransomware such as Cl0p and LockBit, the TrueBot botnet, and FlawedGrace remote access trojan (RAT).

“SocGholish’s operators used Raspberry Robin in the first quarter of 2023 when heavily targeting legal and financial services organizations,” the ReliaQuest team wrote. “This shows the increased collaboration between crime syndicates and operators of various types of malware.”

Hoxhunt’s Aalto noted that malware loaders have been evolving for years and the three listed by ReliaQuest “are versatile enough to deliver various types of malware, such as ransomware, banking trojans, remote access tools, and data stealers.”

They also can evade detection and mitigation by changing delivery methods, file types, encryption techniques, and command-and-control infrastructure and can also exploit vulnerabilities in popular software or trick users into downloading fake updates or opening malicious attachments, he said.