Published: January 06, 2024 on our newsletter Security Fraud News & Alerts Newsletter.
Malware loaders are some of the most challenging security concerns. They are also some of the most common tools that threat actors use to gain initial access to a network, through which they can deliver and run other kinds of malware. These include trojans, ransomware, viruses, or worms. Unfortunately, mitigating one of them might not work for another, even if the loaded malware is the same. This makes them a major headache for IT departments and you.
Researchers at ReliaQuest, a managed security provider, found out that 80% of the total cybersecurity incidents tracked in the first 7 months of 2023 involved three malware loaders: QakBot, Raspberry Robin, and SocGholish. But what is known about these top 3 malware loaders?
1. QakBot started as a banking trojan and has quickly evolved to add more functionality. Beyond network entry, it can:
Enable remote execution
Spread payloads
Aid lateral movement
Steal data
The malware is linked to the Black Basta ransomware group. Once the malware successfully infiltrates a target system, it can steal data, maintain control over the compromised device, or facilitate further attacks.
2. SocGholish is a Javascript-based loader designed to target entities or users on Windows OS. It spreads via drive-by downloads on compromised sites, usually by fooling visitors with Adobe Flash and Microsoft Teams updates. This means, you merely have to land on a malicious web page, even if by accident, to download this.
The malware is linked to the Russian-based “Evil Corp,” which mainly targets U.S. industries such as retail, legal services, and food services and accommodation. With a few clicks, SocGholish can affect entire networks or domains, and it has aggressively launched numerous watering hole attacks in 2023.
3. Raspberry Robin is one elusive loader that also targets users on the Windows OS. It typically spreads via USB devices. It leverages several techniques to hide, including code injection and creating scheduled tasks.
Raspberry Robin has been used to deliver a number of ransomware and other forms of malware including “LockBit,” “Cl0p,” “Flawed Grace,” and “TrueBot,” not to mention the Cobalt Strike tool. Its operators have targeted government, telecommunications, financial institutions, and manufacturing organizations in 2023.
With all malware, phishing is the typical way it makes it onto any system. So always take a minute to make sure you’re not setting anything loose on your device or network. Check for typos and grammatical errors and don’t click links that are not trustworthy. In addition, because some of them can execute merely by you landing on their web pages, be sure the address you’re typing into your browser's address bar is correct and that you haven’t made any typos.
Of course, never access a USB stick that may have one of these on it, and don’t leave your devices unattended or unlocked when you leave them. It only takes a few seconds for someone to put malware on them.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at advisor@nadicent.com
Comments