It has been reported that the Royal ransomware group is enhancing its arsenal with new malware. This group is said to have surfaced following the dismantling of the notorious Conti group.
Several other Conti-related groups have been observed using commercial downloaders such as Emotet, QBot, and IcedID. This inspired the Royal ransomware actors to develop their own malware loader.
In early 2022, Royal ransomware emerged along with Black Basta, Alphv/BlackCat, HelloKitty, Roy/Zeon, Quantum, Silent Ransom, and AvosLocker.
Royal Ransomware’s New Malware Loader
As per a recent report, the Royal ransomware group has begun developing its own loader with the goal of infecting endpoint devices and downloading malware.
- The loader is small (less than 250KB) and serves only to deploy the Cobalt Strike beacon.
- It immediately connects to a Royal C2 server after infection, which the group claims is a design feature.
- Notably, the loader lacks a crypter module or function that would allow end-users to specify preferred cryptos.
Tried and Tested Strategies
Several strategies used by the Royal group have been proven successful by other groups, such as Qbot.
- Like Qbot, it exploits CVE-2022-41073 (an elevation of privilege vulnerability in Windows Print Spooler) for initial access.
- Due to the Royal group’s access to Anubis, the loader incorporates key Anubis functionality.
- The analyzed loader is still a test version (a pre-alpha variant) rather than a final product.
- The group intends to use the final version in spam campaigns, where they have previously demonstrated exceptional effectiveness.
As per Cyware, the Royal group’s collaboration has drawn inspiration from various existing or extinct ransomware groups.
While it refines its loader, organizations are urged to report TTPs of the threat in a timely manner so that other organizations can defend against it by taking appropriate preventive measures.
Check out the following to learn more about: how to protect your systems against malware, how to prevent ransomware, and how command and control servers work.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.