2023’s Digital Intruders: Unmasking the Year’s Top Malware So Far

Background

The enduring and evolving threat of malware remains a predominant concern in the cybersecurity realm, imperiling individuals, organizations, and even entire nations. Malware infiltrates systems through diverse entry points, from malicious email attachments to compromised websites and sophisticated social engineering schemes that deceive unwitting users into executing malevolent code. Concurrently, malware architects refine their techniques, incorporating polymorphic malware and advanced evasion methods to elude detection.

The financial consequences of malware attacks are profoundly significant, casting a daunting shadow over both businesses and individuals. The fallout encompasses an array of financial burdens, including the costly pursuit of data recovery, legal expenses, regulatory penalties, and the debilitating impact on reputation. Beyond the scope of financially driven cybercrime, the specter of state-sponsored malware looms large, targeting critical infrastructure and government entities, amplifying the multifaceted nature of malware threats.

Top 3 Malware Loaders

A malware loader, also known as a “payload loader” or “malware dropper,” is a component of malicious software designed to deliver and execute additional malicious code on a victim’s computer or system. Its primary purpose is to circumvent security defenses and introduce the core malware payload into the target system. These loaders often disguise themselves as benign files or applications, appearing harmless to both users and security software. Once they infiltrate a system, they trigger the deployment of the main malware payload, which can include ransomware, viruses, trojans, spyware, or worms. Cybercriminals frequently use malware loaders to avoid detection, exploiting software vulnerabilities or employing social engineering tactics to deceive users into executing them. Upon execution, the main malware payload can engage in various malicious activities, such as data theft, system takeover, or other harmful actions.

Recent research reveals an unsettling reality: QakBot (QBot), SocGholish, and Raspberry Robin, three adaptable malware loaders, have collectively driven a staggering 80% of cyberattacks in the initial seven months of 2023. These loaders demonstrate remarkable versatility, enabling a wide range of malicious activities, including ransomware, viruses, trojans, and worms.

QakBot: QakBot operators have displayed remarkable agility by frequently changing their delivery tactics. This adaptability allows attackers to target various industries and regions with ease. In recent developments, QakBot operators expanded their command-and-control (C2) network by adding 15 new servers, the majority of which were used to communicate with victim hosts and download additional malicious payloads. These payloads include Cobalt Strike and remote access tools like Atera and NetSupport.

SocGholish: During the first half of 2023, SocGholish operators engaged in watering hole attacks, compromising the websites of prominent organizations engaged in everyday business activities. Unsuspecting users were lured into downloading malicious payloads through social engineering tactics.

Raspberry Robin: Raspberry Robin has been a vector for delivering various ransomware strains, including Cl0p, LockBit, TrueBot, and Flawed Grace, along with Cobalt Strike. In the first half of the year, operators targeted a broad spectrum of sectors, including financial institutions, telecommunications, government entities, and manufacturing organizations, with a significant focus on Europe and some presence in the U.S. Notably, researchers also discovered instances of SocGholish operators collaborating with Raspberry Robin in the first quarter of 2023, targeting legal and financial services, indicating increased cooperation among cybercriminal syndicates and malware operators.

Top 3 Malware

The term “malware” encompasses a vast array of threats, each distinguished by its unique objectives and characteristics. Within this expansive domain, various malicious software variants, such as viruses, worms, trojans, ransomware, spyware, adware, and rootkits, serve distinct purposes. Some are meticulously crafted for data theft, surreptitiously exfiltrating sensitive information like passwords and financial data. In stark contrast, ransomware operates with the potential to disrupt operations on a grand scale, employing ruthless file encryption methods and extorting ransoms for decryption keys.

Redline: A formidable data-stealing malware, Redline first surfaced in 2020 and has maintained its status as a persistent menace to Windows systems. What sets Redline apart is its ability to provide attackers with complete control over compromised computers. In Q2 2023, its usage witnessed a staggering 80% surge compared to the previous quarter, establishing it as the most widespread cyber threat globally. Attackers who deploy Redline gain unfettered access to sensitive data, including passwords, banking credentials, and even cryptocurrency holdings. This malicious software poses a substantial risk to organizations, both in terms of financial losses and damage to their reputation.

Remcos: A Remote Access Trojan (RAT) active since 2016, Remcos is notorious for its data theft capabilities. Although there was a slight 1.2% drop in the number of Remcos samples submitted to ANY.RUN in Q2 compared to Q1, it retained its position as the second most common malware. Remcos can be delivered through various vectors, such as .exe or .docx files. Once it infiltrates a victim’s computer, it engages in various malicious activities, including stealing private information, modifying the system’s registry, and closely monitoring user activities. Organizations should remain vigilant because Remcos continues to be a persistent threat.

njRAT: A Remote Access Trojan with a notorious history, njRAT has been active since 2013. It boasts a dedicated community of enthusiasts who have contributed to a wealth of educational content on its usage. njRAT equips attackers with a diverse arsenal of hacking tools, enabling activities such as keylogging, extracting passwords from web browsers, and capturing webcam images. In Q2 2023, njRAT witnessed a 4.2% increase in its usage, earning it the distinction of being the third most popular malware worldwide. Attackers frequently employ phishing emails as a means of distribution, disguising njRAT within fake attachments that appear legitimate. This malware’s prevalence underscores the need for organizations to remain proactive in defending against evolving cyber threats.

Conclusion

The malware landscape of 2023 presents substantial challenges for both individuals and organizations. Dominated by three versatile malware loaders—QakBot, SocGholish, and Raspberry Robin—the cyberattacks have encompassed a broad range of threats, from ransomware and viruses to trojans and worms. The adaptability of these malicious actors allows them to target diverse industries and regions, creating a complex and ever-evolving cybersecurity environment.

As these malware families continue to evolve, they pose significant financial and reputational risks to organizations. To effectively counter these threats, enterprises are strongly advised to embrace advanced security solutions. Such tools facilitate rapid and comprehensive malware analysis while enhancing the gathering of threat intelligence. Staying proactive and vigilant in the face of these evolving cyber threats is essential to safeguarding organizational assets and preserving reputation in an increasingly digital landscape.

The Cyber Research Unit at Critical Start has ensured complete detection coverage for all the malware families and threats discussed in this publication. While we strive to provide the most accurate and up-to-date information, the malware landscape is dynamic, and new variants or tactics can emerge. We recommend always keeping security solutions and threat intelligence updated and to consult with our team for the latest developments.