Russian-speaking Royal ransomware group, which has emerged from the demolition of the infamous Conti group, is reportedly updating its arsenal with new malware. Several other groups that have spun off from Conti are known to be using commercial downloaders such as Emotet, QBot, and IcedID. Now, the Royal actors are making efforts to develop their own malware loader, essentially inspired by the aforementioned malware samples.

Royal ransomware emerged in early 2022 as a post-Conti spinoff, along with other groups such as Black Basta, Alphv/BlackCat, HelloKitty, Roy/Zeon, Quantum, Silent Ransom, and AvosLocker.

Building the malware loader

According to a recent report, the Royal ransomware group started building its own loader to infect the endpoint devices and download further malware.
  • The loader is small in size (less than 250KB) and has the only purpose of deploying Cobalt Strike beacon.
  • Upon infection, it immediately connects to a Royal C2 server, which the group claims is a design feature.
  • Notably, the loader does not include a crypter module or function that would allow end-users to add preferred cryptos.

Figuring it out

The Royal group borrows heavily from strategies proven to work by other groups, such as Qbot.
  • For instance, it exploits the CVE-2022-41073 for initial access (an elevation of privilege vulnerability in Windows Print Spooler) in the same way as Qbot.
  • The Royal group has privileged access to Anubis, thus the loader has added key functionality from Anubis.  
  • The analyzed loader is still a test version (a pre-alpha variant) instead of a final product. 
  • The group plans to use the final version in spam campaigns, where they have shown particular effectiveness in the past.

Conclusion

The recent report sheds light on the Royal group’s collaboration have drawn inspiration from different existing or extinct ransomware groups. While it further refines its loader, organizations are urged to timely report TTPs of the threat so that other organizations can fend it off by taking appropriate preventive measures.
Cyware Publisher

Publisher

Cyware