Malware loader lowdown: The big 3 responsible for 80% of attacks so far this year

Three malware loaders — QBot, SocGholish, and Raspberry Robin — are responsible for 80 percent of observed attacks on computers and networks so far this year.

Security shop ReliaQuest reported on Friday the top nasties that should be detected and blocked by IT defenses are QBot (also known as QakBot, QuackBot, and Pinkslipbot), the most observed loader between January 1 and July 31, responsible for 30 percent of the intrusion attempts recorded. SocGholish came in second at 27 percent, and Raspberry Robin claimed 23 percent. The other seven loaders in the lineup lag far behind the three leaders: Gootloader with 3 percent, and Guloader, Chromeloader, and Ursnif with 2 percent.

As the name suggests, loaders are an intermediary stage of a malware infection. The loader is run on a victim's computer by, for example, a miscreant exploiting some vulnerability or simply sending a mark an email with a malicious attachment to open. When the loader is running, it usually secures its foothold in the system, taking steps to maintain persistence, and fetches the main malware payload to execute, which could be ransomware or a backdoor or some such.

This gives crews some flexibility post-intrusion, and also helps hide the eventual software nasty that is deployed on a machine. Being able to spot and stop a loader could stop a significant malware infection in its tracks within your organization.

These loaders are migraine-inducing for security teams, however, because as ReliaQuest pointed out, "mitigation for one loader may not work for another, even if it loads the same malware."

According to the analysis, QBot, which ReliaQuest describes as "the agile one," is the 16-year-old banking trojan that has since evolved to deliver ransomware, steal sensitive data, enable lateral movement through organizations' environments, and deploy remote code execution software.

In June, Lumen's Black Lotus Labs threat intelligence group discovered the loader using new malware delivery methods and command-and-control infrastructure, with a quarter of those used being active for just a day. This evolution was likely in response to Microsoft's move last year to block internet-sourced macros by default for Office users, according to security researchers.

"QakBot's agility was evident in its operators' response to Microsoft's Mark of the Web (MOTW): they changed delivery tactics, opting to use HTML smuggling," ReliaQuest said. "In other instances, QakBot operators have experimented with file types for their payloads, to evade mitigation measures."

This includes using malicious OneNote files in their phishing emails, as was the case in a February 2023 campaign targeting US organizations.  

Don't trust that download

Number two loader, SocGholish, is a JavaScript-based chunk of code that targets Windows. It has been linked to Russia's Evil Corp and initial access broker Exotic Lily, which breaks into corporate networks and then sells that access to other criminals. 

SocGholish is generally deployed via drive-by compromise and social engineering campaigns, posing as a fake update that, when downloaded, drops the malicious code on the victim's device. At one point, Exotic Lily was sending upwards of 5,000 emails a day to some 650 targeted global organizations, according to Google's Threat Analysis Group.

Last fall, a criminal group tracked as TA569 compromised more than 250 US newspaper websites and then used that access to serve SocGholish malware to the publications' readers via malicious JavaScript-powered ads and videos.

More recently, in the first half of 2023, ReliaQuest tracked SocGholish operators carrying out "aggressive watering hole attacks." 

"They compromised and infected websites of large organizations engaged in common business operations with lucrative potential," the threat researchers said. "Unsuspecting visitors inevitably downloaded the SocGholish payload, leading to widespread infections."

Early bird gets the (Windows) worm

Rounding out the top three is Raspberry Robin, which also targets Windows systems and has evolved from a worm that spreads via USB drives.

These infected USBs contain malicious .lnk files that, when executed, communicates with the command-and-control server, established persistence, and executes additional malware on the infected device — increasingly ransomware.

• Qbot malware adapts to live another day … and another …
• This Windows worm evolved into slinging ransomware. Here's how to detect it
• FBI: Who was going around hijacking Barracuda email boxes? China, probably
• Criminals go full Viking on CloudNordic, wipe all servers and customer data

Raspberry Robin has also been used to deliver both Clop and LockBit ransomware, as well as TrueBot data-stealing malware, Flawed Grace remote access trojan, and Cobalt Strike to gain access into victims' environments.

It's linked to Evil Corp and another Russian crime gang, Whisper Spider. And during the first half of 2023, it has been used in attacks against financial institutions, telecommunications, government, and manufacturing organizations, primarily in Europe but also in the US.

"Based on recent trends, it's highly likely that these loaders will continue to pose a threat to organizations in the mid-term future (3–6 months) and beyond," the researchers wrote.

"In the remainder of 2023, we can anticipate other developments in these loaders — whether in response to organizational mitigation or through collaboration among threat actors." ®