Top 3 Malware Loaders of 2023 that Fueling 80% of Cyber Attacks

SOC teams find malware loaders challenging, as the different loaders, even for the same malware, need distinct mitigation. 

Besides this, they are the key and most important elements for initial network access and payload delivery, for which remote-access software and post-exploitation tools are most sought.

Detecting a malware loader doesn’t always mean network compromise, as sometimes, in the kill chain, it’s stopped early.

However, cybersecurity analysts at ReliaQuest have recently uncovered a multitude of malware loaders that were observed to be the most active this year in 2023.

Unveiled Malware Loaders

Here below, we have mentioned all the malware loaders that were unveiled recently by the cybersecurity experts at ReliaQuest:-

• QBot
• SOCGholish
• Raspberry Robin
• Gootloader
• Chromeloader
• Guloader
• Ursnif

Among them, the top 3 malware loaders that were observed to be the most active by the security researchers are:-

• QBot (aka QakBot, QuackBot, Pinkslipbot)
• SocGholish (aka FakeUpdates)
• Raspberry Robin

Technical Analysis of Top 3 Malware Loaders

Here below, we have mentioned the technical analysis of all the top 3 malware loaders:-

html

FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

QakBot

QakBot started as a banking trojan and swiftly evolved with more functions. Beyond network entry, it does the following things:-

• Spreads payloads
• Steals data
• Aids  lateral movement
• Enables remote execution

Qbot is linked to the “Black Basta” ransomware gang, and it operates discovery, C2 communication, info relay, and payload drop for post-exploitation goals.

QakBot swiftly adapted to Microsoft’s MOTW with HTML smuggling. It also shifted payload file types, even using OneNote files in a Feb 2023 campaign against US entities.

SocGholish

SocGholis is a notorious JavaScript-based loader that primarily targets users and entities using Windows OS. This malware loader spreads through drive-by downloads on compromised websites, fooling visitors with Microsoft Teams and Adobe Flash fake updates.

SocGholish is tied to the Russia-based group “Evil Corp,” which targets US industries like-

• Accommodation
• Retail
• Law

Apart from this, It’s also connected to “Exotic Lily,” an initial access broker, selling access gained through phishing to other threat actors, including ransomware groups.

This malware loader emerged in 2022, spreading through compromised websites and social engineering. With just a few clicks, it can impact entire domains or networks, and in 2023, it launched several watering hole attacks aggressively.

Raspberry Robin

Raspberry Robin is a highly elusive worm-turned-loader that targets users and entities using Microsoft Windows OS. It spreads through malicious USB devices, using LNK files to trigger native Windows processes and download its DLL. 

Moreover, this malware loader uses many techniques to evade detection, including creating scheduled tasks and code injection.

Raspberry Robin is linked to multiple dangerous groups, including Evil Corp and Silence (aka Whisper Spider). 

In addition to the Cobalt Strike tool, Raspberry Robin is used by threat actors to deliver multiple variants of ransomware and other malware like-

• Clop
• LockBit
• TrueBot

Moreover, the Raspberry Robin malware loader is also linked to SocGholish ops in legal and financial services organizations in Q1 2023, signaling crime syndicate collab.

Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.