SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware
Search
Story image
#
Cybersecurity
#
Malware
#
FBI

FBI's Qakbot takedown reshapes 2024 malware loader landscape

Fri, 16th Aug 2024
Author image
By Sean Mitchell, Publisher

The recent dismantling of the Qakbot malware and botnet by the FBI had a substantial impact on its prevalence. ReliaQuest, which had identified Qakbot as a factor in 30 percent of malware loader incidents, has now published a new report assessing the current landscape of common malware loaders. The key findings from the report reveal significant developments and shifts in the usage and methods of these malware loaders.

According to the report, nearly 40 percent of all malware observed in critical security incidents in 2024 involved loaders. SocGholish, GootLoader, and Raspberry Robin were identified as the most common loaders during this period. These loaders frequently aimed to deliver other types of malware, including ransomware.

The report indicates that SocGholish was involved in 74 percent of incidents, making it the most prevalent loader. GootLoader and Raspberry Robin followed, with involvement in 16 percent and 7 percent of incidents, respectively. This contrasts sharply with the rate of Qakbot involvement before the FBI's intervention when it accounted for 30 percent of incidents.

Despite a reduction in activity following the FBI's action, Qakbot re-emerged in December 2023 with a new phishing campaign, specifically targeting the hospitality industry. This updated version of Qakbot, known as 0x500, featured advancements such as AES string decryption. However, it also displayed bugs, suggesting ongoing development efforts. Additionally, Qakbot was reportedly involved in attacks exploiting a Windows zero-day vulnerability (CVE-2024-30051) in May 2024. Yet, Qakbot activity has declined since 2023, with many threat actors pivoting to the use of DarkGate malware instead, notably the Black Basta group.

The report also highlights a broader trend within the malware ecosystem. Malware loaders are increasingly utilising scripts, such as Python, to enhance their evasion capabilities and persistence. This signifies a shift from traditional, more easily detectable executables and PowerShell scripts towards more covert methods.

2024 witnessed significant developments in the realm of malware loaders. These included sophisticated evasion techniques, subscription-based models, diversified distribution methods, and the adoption of digital signatures to circumvent security mechanisms. These developments indicate increasingly complex threats that security professionals and organisations must be prepared to defend against.

Based on the findings, the report provides several mitigation recommendations for defenders. These focus on implementing script block policies, monitoring scheduled tasks, analysing network traffic, and restricting the usage of scripting engines. Additionally, ReliaQuest offers detection rules and response plays designed to identify and remediate malicious activities associated with loader malware.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Trustwave highlights critical cyber threats to financial services
Claroty reveals remote access risks in OT environments report
Check Point's CloudGuard named Leader in GigaOm Security Report
CAST AI launches real-time Kubernetes security solution
Breached firms invest 30% more in cyber resilience says report
Top stories
SAP Concur highlights complexities in return on investment in AI
Zscaler launches new co-located data centre in Perth
Proofpoint unveils new security features
Proofpoint & CyberArk expand partnership for enhanced security
BlueVoyant study shows MDR services offer 210% ROI & cost savings