Cybercriminals Used Just Three Malware Loaders to Launch 80% of Attacks, Deets Inside
New research has revealed that attackers leveraged only three malware loaders to launch 80% of attacks in the first seven months of 2023. Tracked as QakBot (QBot), SocGholish, and Raspberry Robin, these malware loaders were used to deliver and execute a variety of ransomware, viruses, trojans, and worms.
Let’s break down the observations.
QakBot's agility is the key
Researchers note that QakBot operators are quick to change their delivery tactics, providing attackers with opportunities to target any industry or region. In the recent additions, QakBot operators expanded its C2 network with 15 new servers, with a majority of servers used to communicate with the victim hosts and download additional payloads, including Cobalt Strike and remote access tools such as Atera and NetSupport.
SocGholish launch watering hole attacks
In the first half of 2023, SocGholish operators were involved in watering hole attacks that compromised the websites of large organizations engaged in common business activities. Unsuspecting users were tricked via social engineering tactics that led to the download of malicious payloads.
Raspberry Robin targets multiple sectors
Raspberry Robin has been used to deliver multiple ransomware such as Cl0p, LockBit, TrueBot, and Flawed Grace, in addition to Cobalt Strike. In the first half of the year, the operators were found targeting financial institutions, telecommunications, government, and manufacturing organizations, with many located in Europe and some in the U.S.
Furthermore, researchers found that SocGholish operators used Raspberry Robin in the first quarter of 2023 when targeting legal and financial services. This indicated an increased collaboration between crime syndicates and operators of various malware.
More trending malware
Other top malware loaders that have been causing trouble for SOC teams this year include Gootloader, Guloader, Chromeloader, and Ursnif. The presence of these loaders doesn't necessarily mean compromise; many were detected and stopped at an early stage in the kill chain.
Ending note
Organizations can take several steps to minimize the threat from malware loaders. One of the suggested mitigations is to scan and block inbound emails that include file extensions for malware delivery. Other approaches involve limiting the use of remote access software unless required or restricting company assets from making connections to the internet via firewall or proxy configurations.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/64a4_shutterstock_1089808376.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/c9b5_Shutterstock_2182586873.jpg)
