In 2024, malware loaders became a dominant tool in cyberattacks, with SocGholish, GootLoader, and Raspberry Robin leading in prevalence and evolving to use scripting languages like Python for persistence and stealth. The report outlines attacker trends, law-enforcement actions, and practical mitigations for defenders. #SocGholish #QakBot
Keypoints
- In 2024, nearly 40% of malware observed in critical security incidents involved loaders, with SocGholish, GootLoader, and Raspberry Robin as the most common.
- Loaders are increasingly using scripts (notably Python) to enhance evasion and persistence, signaling a shift away from traditional executables and PowerShell.
- 2024 saw developments such as subscription-based models, diversified distribution (SEO, compromised platforms), and the adoption of digital signatures to bypass security controls.
- Operation Endgame (May 2024) marked the largest law-enforcement action against loader botnets, dismantling servers and domains and arresting individuals, driving threat actors to pivot to other loaders like GootLoader.
- The top three loaders targeting ReliaQuest customers in 2024 were SocGholish (dominant), GootLoader (new to the top three), and Raspberry Robin (third), with QakBot declining.
- Mitigation focus includes script monitoring, traffic analysis, and restricting scripting engine usage, complemented by ReliaQuest detection rules and response plays.
MITRE Techniques
- [T1203] Execution – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
- [T1543] Persistence – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
- [T1071] Command and Control – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
- [T1027] Obfuscation – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
- [T1003] Credential Access – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
Indicators of Compromise
- [Domain] Domain used for C2 and data exfiltration – dpb.catching.fishingrealinvestments[dot]com, python[.]org
- [IP Address] 128.254.207.82 – C2 connection attempt in the case study
- [IP Address] 194.36.209.227 – Secondary C2 connection attempt
- [IP Address] 92.118.112.208 – IP used by scheduled-task C2 activity
- [URL] hxxps://dpb.catching.fishingrealinvestments[dot]com/secureRequest – C2 web endpoint
- [File] update.js – Initial malicious JavaScript loaded via Windows Script Host
- [File] py3g.py – Python-based payload script used in persistence
- [Process] wscript.exe – Windows Script Host used to execute the initial script
- [Scheduled Task] pypi-py – Task created to run Python script every 5 minutes for persistence
Read more: https://www.reliaquest.com/blog/common-malware-loaders/