Malware loaders are a significant threat in the cybersecurity landscape, with nearly 40% of all malware observed in critical security incidents involving these specialized tools. Among the most prevalent loaders are “SocGholish,” “GootLoader,” and “Raspberry Robin,” which have been frequently used by cybercriminals to deliver a range of secondary malware, including ransomware.
This was revealed in ReliaQuest’s recent report, which examines the most common malware loaders today.
Loaders are specialized forms of malware designed to gain an initial foothold in a system before downloading and executing additional, often more destructive, malware. Their ability to deliver secondary payloads makes them a crucial element in the early stages of a cyberattack. In 2024, these loaders have become increasingly sophisticated, employing advanced evasion techniques and diversified distribution methods to bypass security defenses.
Key Trends in 2024
ReliaQuest’s report highlighted several key trends this year.
Shift to Script-Based Evasion: Malicious actors are increasingly moving away from using easily detectable executables and PowerShell scripts in favor of more covert methods, such as Python-based scripts. This shift enhances the loaders’ evasion capabilities and persistence, making them harder to detect and remove.
Adoption of Subscription-Based Models: The malware landscape has seen a rise in subscription-based models, such as Loader-as-a-Service (LaaS) and Malware-as-a-Service (MaaS), which make sophisticated tools more accessible to a wider range of cybercriminals. These services often include regular updates and support, further complicating the efforts of cybersecurity defenders.
Use of Digital Signatures: To bypass security mechanisms, some loaders have started adopting digital signatures and switching formats, such as from MSI to MSIX. This allows them to appear legitimate and evade detection by security software.
Diversified Distribution Methods: Malware loaders are now being distributed through a variety of channels, including compromised messaging platforms like Microsoft Teams and SEO poisoning, where malicious websites are promoted through manipulated search engine rankings.
2024’s Top Loaders
The top loaders this year were revealed to be:
SocGholish: SocGholish, a JavaScript-based loader, is the most prevalent loader, accounting for almost three-quarters (74%) of all incidents involving malware loaders. It has been linked to multiple threat actors, including the Russian group “Evil Corp.” In 2024, SocGholish advanced its tactics by incorporating Python scripts to establish persistence in compromised systems, marking a shift from its traditional use of deceptive JavaScript files.
To mitigate this threat, ReliaQuest advises to implement application control to prevent the execution of unnecessary applications, and block JavaScript or Visual Basic Script (VBS) from launching downloaded executables. Also, set Notepad as the default application for JavaScript files to prevent the execution of initial payloads.
GootLoader: GootLoader, another JavaScript-based loader, has gained prominence in 2024, accounting for 16% of incidents. Known for its use of SEO poisoning to lure victims to malicious websites, GootLoader has evolved significantly, incorporating advanced evasion techniques and deploying a new command-and-control tool, “GootBot.”
To mitigate this loader, enhanced script control policies should be implemented to restrict unauthorized JavaScript libraries, and endpoint detection and response (EDR) solutions should be deployed to detect unusual behaviors. Also, network traffic must be monitored for connections to known Tor entry points, which GootBot uses for communications.
Raspberry Robin: Raspberry Robin, a sophisticated loader initially spread through infected USB devices, has continued to evolve in 2024 (making up 7% of all malware loaders) is now using Windows Script Files (WSF) and advanced anti-analysis techniques. This loader has been linked to several high-profile threat actors and continues to pose a significant threat to organizations.
To mitigate this one, restrict the execution of WSF files and enforce application control, implement process monitoring to detect termination of User Account Control (UAC)-related processes, and regularly update and patch systems to mitigate the risk of one-day exploits.
Robust Defenses Needed
The growing prevalence and sophistication of malware loaders highlight the need for robust cybersecurity defenses. Entities must remain vigilant, employ advanced detection methods, enforce strict script control policies, and stay informed about the latest developments in malware tactics.
As malefactors continue to adapt, the fight against malware loaders will require constant innovation and collaboration between industry and law enforcement.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.