Cybersecurity specialists have found one more malware-as-a-service (MaaS) menace known as BunnyLoader that is being marketed on the market on the cybercrime underground.
“BunnyLoader provides various functionalities such as downloading and executing a second-stage payload, stealing browser credentials and system information, and much more,” Zscaler ThreatLabz researchers Niraj Shivtarkar and Satyam Singh said in an evaluation revealed final week.
Amongst its different capabilities embrace working distant instructions on the contaminated machine, a keylogger to seize keystrokes, and a clipper performance to observe the sufferer’s clipboard and substitute content material matching cryptocurrency pockets addresses with actor-controlled addresses.
A C/C++-based loader provided for $250 for a lifetime license, the malware is alleged to have been below steady growth since its debut on September 4, 2023, with new options and enhancements that incorporate anti-sandbox and antivirus evasion methods.
Additionally mounted as a part of updates launched on September 15 and September 27, 2023, are points with command-and-control (C2) in addition to “critical” SQL injection flaws within the C2 panel that will have granted entry to the database.
A key promoting level of BunnyLoader, in line with the creator PLAYER_BUNNY (aka PLAYER_BL), is its fileless loading function that “makes it difficult for the antiviruses to remove the attackers malware.”
The C2 panel offers choices for patrons to observe lively duties, an infection statistics, the overall variety of related and inactive hosts, and stealer logs. It additionally offers the power to purge info and remotely management the compromised machines.
The precise preliminary entry mechanism used to distribute BunnyLoader is presently unclear. As soon as put in, the malware units up persistence by way of a Home windows Registry change and performs a collection of sandbox and digital machine checks earlier than activating its malicious conduct by sending activity requests to the distant server and fetching the specified responses.
This consists of Trojan Downloader duties to obtain and execute next-stage malware, Intruder to run keylogger and stealer for harvesting knowledge from messaging apps, VPN shoppers, and net browsers, and Clipper to redirect cryptocurrency funds and revenue off illicit transactions.
The ultimate step entails encapsulating all of the collected knowledge right into a ZIP archive and transmitting it to the server.
“BunnyLoader is a new MaaS threat that is continuously evolving their tactics and adding new features to carry out successful campaigns against their targets,” the researchers stated.
The findings comply with the invention of another Windows-based loader known as MidgeDropper that’s possible distributed by way of phishing emails to ship an unnamed second-stage payload from a distant server.
Whereas Agniane Stealer is obtainable as a month-to-month subscription for $50, the latter is available on GitHub for allegedly instructional functions, making it ripe for abuse by different menace actors. Among the different stealers hosted on GitHub embrace Stealerium, Impost3r, Clean-Grabber, Nivistealer, Creal-stealer, and cstealer.
“While claiming the tool is for educational purposes, the author’s contradiction arises when urging not to upload the final binary to platforms like VirusTotal (VT), where antivirus solutions can detect its signature,” Cyfirma stated.
It is not simply new malware companies, as cybercriminals are additionally augmenting options of current MaaS platforms with up to date assault chains to evade detection by safety instruments. This encompasses a variant of the RedLine Stealer that employs a Home windows Batch script to launch the malware.
“[RedLine Stealer] is being distributed by various means and threat actors are continuously making changes to the techniques to make it undetectable for an extended period of time,” the cybersecurity agency said. “It is also being sold on the underground forums and encouraging cybercriminals to accomplish their evil intentions.”
Author: firstname.lastname@example.org (The Hacker Information)
Date: 2023-10-02 01:31:00