Cyber Security Threat Summary:
Researchers from ReliaQuest found that cybercriminals relied primarily on seven different malware loaders to carry out attacks in the first half of 2023. QakBot, SocGholish, and Raspberry Robin were the most commonly used loaders, accounting for roughly 80% of all intrusions. GootLoader, ChromeLoader, Guloader, and Ursnif were also commonly seen.
Security Officer Comments:
QakBot was the most prolific strain seen by the researchers accounting for 30% of all intrusions. More concerningly, QakBot has been linked to the BlackBasta ransomware group, who has used it to target organizations in multiple sectors and industries. The malware which was initially a banking trojan, has evolved into a powerful malware loader that can deploy additional payloads and steal sensitive information.
SocGholish intrusions fell right behind QakBot with around 27% of total intrusions. This piece of malware is associated with Evil Corp, a financially motivated Russian-based cybercriminal group which has been active since 2007. Since around 2018, the researchers say SocGholish has been used against US organizations in the food services industry, retail trade, and legal services.
Raspberry Robin was used in 23% of intrusions and is tied to various groups including Evil Corp and Whisper Spider, a financially motivated threat actors targeting financial institutions in Ukraine, Russia, Azerbaijan, Poland, and Kazakhstan. Raspberry Robin has also been used by ransomware actors to deliver Cl0p, LockBit, TrueBot, and Flawed Grace. In many instances it was used to deploy Cobalt Strike, a common precursor to ransomware activity.
“Raspberry Robin is a highly elusive worm-turned-loader that targets Microsoft Windows environments. Its exceptional propagation capabilities kick in after initial infection via malicious USB devices, when cmd[.]exe runs and executes a LNK file on the infected USB” (Info Security Magazine, 2023). In 2023, Raspberry Robin has been used to target financial institutions, telecommunications, government, and manufacturing organizations, mainly in Europe, although the US has had its fair share of attacks. SocGholish’s operators used Raspberry Robin in the first quarter of 2023 when heavily targeting legal and financial services organizations.
- Do not open emails or download software from untrusted sources
- Do not click on links or attachments in emails that come from unknown senders
- Do not supply passwords, personal, or financial information via email to anyone (sensitive information is also used for double extortion)
- Always verify the email sender's email address, name, and domain
- Backup important files frequently and store them separately from the main system
- Protect devices using antivirus, anti-spam and anti-spyware software
- Report phishing emails to the appropriate security or I.T. staff immediately