FBI's Qakbot takedown reshapes 2024 malware loader landscape
The recent dismantling of the Qakbot malware and botnet by the FBI had a substantial impact on its prevalence. ReliaQuest, which had identified Qakbot as a factor in 30 percent of malware loader incidents, has now published a new report assessing the current landscape of common malware loaders. The key findings from the report reveal significant developments and shifts in the usage and methods of these malware loaders.
According to the report, nearly 40 percent of all malware observed in critical security incidents in 2024 involved loaders. SocGholish, GootLoader, and Raspberry Robin were identified as the most common loaders during this period. These loaders frequently aimed to deliver other types of malware, including ransomware.
The report indicates that SocGholish was involved in 74 percent of incidents, making it the most prevalent loader. GootLoader and Raspberry Robin followed, with involvement in 16 percent and 7 percent of incidents, respectively. This contrasts sharply with the rate of Qakbot involvement before the FBI's intervention when it accounted for 30 percent of incidents.
Despite a reduction in activity following the FBI's action, Qakbot re-emerged in December 2023 with a new phishing campaign, specifically targeting the hospitality industry. This updated version of Qakbot, known as 0x500, featured advancements such as AES string decryption. However, it also displayed bugs, suggesting ongoing development efforts. Additionally, Qakbot was reportedly involved in attacks exploiting a Windows zero-day vulnerability (CVE-2024-30051) in May 2024. Yet, Qakbot activity has declined since 2023, with many threat actors pivoting to the use of DarkGate malware instead, notably the Black Basta group.
The report also highlights a broader trend within the malware ecosystem. Malware loaders are increasingly utilising scripts, such as Python, to enhance their evasion capabilities and persistence. This signifies a shift from traditional, more easily detectable executables and PowerShell scripts towards more covert methods.
2024 witnessed significant developments in the realm of malware loaders. These included sophisticated evasion techniques, subscription-based models, diversified distribution methods, and the adoption of digital signatures to circumvent security mechanisms. These developments indicate increasingly complex threats that security professionals and organisations must be prepared to defend against.
Based on the findings, the report provides several mitigation recommendations for defenders. These focus on implementing script block policies, monitoring scheduled tasks, analysing network traffic, and restricting the usage of scripting engines. Additionally, ReliaQuest offers detection rules and response plays designed to identify and remediate malicious activities associated with loader malware.