It has been reported that the Royal ransomware group is enhancing its arsenal with new malware. This group is said to have surfaced following the dismantling of the notorious Conti group.

Several other Conti-related groups have been observed using commercial downloaders such as Emotet, QBot, and IcedID. This inspired the Royal ransomware actors to develop their own malware loader.

In early 2022, Royal ransomware emerged along with Black Basta, Alphv/BlackCat, HelloKitty, Roy/Zeon, Quantum, Silent Ransom, and AvosLocker.

Royal Ransomware’s New Malware Loader

As per a recent report, the Royal ransomware group has begun developing its own loader with the goal of infecting endpoint devices and downloading malware.

  • The loader is small (less than 250KB) and serves only to deploy the Cobalt Strike beacon.
  • It immediately connects to a Royal C2 server after infection, which the group claims is a design feature.
  • Notably, the loader lacks a crypter module or function that would allow end-users to specify preferred cryptos.

Tried and Tested Strategies

Several strategies used by the Royal group have been proven successful by other groups, such as Qbot.

  • Like Qbot, it exploits CVE-2022-41073 (an elevation of privilege vulnerability in Windows Print Spooler) for initial access.
  • Due to the Royal group’s access to Anubis, the loader incorporates key Anubis functionality.
  • The analyzed loader is still a test version (a pre-alpha variant) rather than a final product.
  • The group intends to use the final version in spam campaigns, where they have previously demonstrated exceptional effectiveness.

As per Cyware, the Royal group’s collaboration has drawn inspiration from various existing or extinct ransomware groups.

While it refines its loader, organizations are urged to report TTPs of the threat in a timely manner so that other organizations can defend against it by taking appropriate preventive measures.

Check out the following to learn more about: how to protect your systems against malware, how to prevent ransomware, and how command and control servers work.

If you liked this article, follow us on LinkedInTwitterFacebook, and YouTube for more cybersecurity news and topics.

How DNS Layer Security Stops Ransomware and Other Cyberattacks

Locking Out Cybercriminals: Here’s How to Prevent Ransomware Attacks

Command-and-Control Servers Explained. Techniques and DNS Security Risks

How Royal Ransomware Could Wreak Havoc on the U.S. Digital Economy

Five Ways Heimdal® Can Help You Protect Against Ransomware Attacks

What Is Malware? Definition, Types and Protection

Most Dangerous Ransomware Groups in 2022 You Should Know About

How to Create a Successful Cybersecurity Strategy

All about Conti Ransomware.

What Is Email Spam?

Leave a Reply

Your email address will not be published. Required fields are marked *