5.7 C
New York
Saturday, March 2, 2024

New BunnyLoader menace emerges as a feature-rich malware-as-a-service

New BunnyLoader threat emerges as a feature-rich malware-as-a-service

Safety researchers found a brand new malware-as-a-service (MaaS) named ‘BunnyLoader’ marketed on a number of hacker boards as a fileless loader that may steal and substitute the contents of the system clipboard.

The malware is below speedy improvement, with updates including new options and bug fixes. It could possibly at present obtain and execute payloads, log keys, steal delicate information and cryptocurrency, and execute distant instructions.

The primary model of BunnyLoader emerged on September 4. Since then, its builders added extra features, like a number of anti-detection mechanisms and additional info-stealing capabilities, releasing a second main model in direction of the tip of the month.

Researchers at cloud safety firm Zscaler be aware that BunnyLoader is shortly turning into standard amongst cybercriminals as a feature-rich malware out there for a low worth.

BunnyLoader promoted on hacker forum
BunnyLoader promoted on hacker discussion board (Zscaler)

BunnyLoader overview

BunnyLoader’s command and management panel permits even low-skilled cybercriminals set a second-stage payload, allow keylogging, credential stealing, clipboard manipulation (for stealing cryptocurrency), and working distant instructions on contaminated gadgets.

Main malware functions directly available through the panel
Principal malware features straight out there by the panel (Zscaler)

In a current report, researchers say that after being executed on a compromised system, BunnyLoader creates a brand new worth in the Home windows Registry for persistence, hides its window, units a mutex to keep away from a number of cases of itself, and registers the sufferer into the management panel.

Victims listed on the panel
Victims listed on the panel (Zscaler)

The malware performs a number of checks to find out if it is working on a sandbox or simulated setting and throws a faux structure incompatibility error if the result’s optimistic.

Other than the talked about features, the malware additionally options modules to steal information saved on net browsers (passwords, bank cards, shopping historical past), cryptocurrency wallets, VPNs, messaging apps, and extra, basically performing as an ordinary info-stealer.

All stolen information are compressed right into a ZIP archive earlier than they’re exfiltrated to the menace actor’s command and management (C2) server.

Data exfiltrated by BunnyLoader
Knowledge exfiltrated by BunnyLoader (Zscaler)

Based on the researchers, BunnyLoader helps writing payloads to the disk earlier than executing them, and also can run them from the system memmory (fileless) utilizing the method hollowing approach.

Speedy improvement

Zscaler monitored the malware’s improvement and bulletins on a number of hacking boards and observed that it went by quite a few updates since its preliminary launch.

This is a abstract of BunnyLoader’s improvement timeline:

  • v1.0 (Sept 4): Preliminary launch.
  • v1.1 (Sept 5): Fastened consumer bug, launched log compression earlier than add, and added ‘pwd’ command for reverse shell.
  • v1.2 (Sept 6): Enhanced stealer with browser historical past restoration, NGRok auth-token restoration, and supported extra Chromium browser paths.
  • v1.3 (Sept 9): Added bank card restoration for 16 card varieties and glued C2 bugs.
  • v1.4 (Sept 10): Carried out AV evasion.
  • v1.5 (Sept 11): Launched VPN restoration to stealer, fileless loader bug fixes, and log loading optimizations.
  • v1.6 (Sept 12): Added downloads historical past viewer and anti-sandbox strategies.
  • v1.7 (Sept 15): Enhanced AV evasion.
  • v1.8 (Sept 15): Carried out keylogger performance and resolved varied bugs.
  • v1.9 (Sept 17): Enhanced stealer with sport restoration, extra Chromium browser paths, and added a desktop pockets restoration.
  • v2.0 (Sept 27): Up to date C2 GUI, fastened vital vulnerabilities, together with SQL injection and XSS, launched exploit try detection, and additional optimized stealer and fileless loader functionalities.

In its present state, BunnyLoader is offered for $250, whereas the “personal stub” model, which options stronger anti-analysis, in-memory injection, AV evasion, and extra persistence mechanisms, sells for $350.

This low worth, mixed with the speedy improvement cycle, make BunnyLoader a profitable alternative for cybercriminals looking for early-bird offers on rising malware tasks earlier than they achieve prominence and enhance their charges.

Zscaler’s report supplies technical particulars that may assist detect the malware earlier than it establishes persistence in addition to indicators of compromise that would stop an an infection. 

Related Articles


Please enter your comment!
Please enter your name here

Latest Articles