Birth of a Fresh BunnyLoader Malware Variant with Modular Attack Capabilities
Birth of a Fresh BunnyLoader Malware Variant with Modular Attack Capabilities
BunnyLoader, a revised variant of a stealer and malware launcher discovered by cybersecurity researchers, is modular in nature and enables the malware to avoid identification.
Palo Alto Networks Unit 42 stated in a report published last week, “BunnyLoader is continually building malware with the ability to steal data, credentials, and cryptocurrency, in addition to delivering additional malware to its victims.”
On February 11, 2024, the developer known as Player (or Player_Bunny) unveiled the latest iteration of BunnyLoader, designated BunnyLoader 3.0. This version features redesigned modules to facilitate data thievery, a decreased payload size, and improved keylogging functionalities.
ZscalerThreatLabz initially identified BunnyLoader in September 2023, characterizing it as a malware-as-a-service (MaaS) that aims to illicitly acquire cryptocurrencies and acquire credentials. At its inception, it was provided as a monthly subscription service for $250.
Since then, the malware has been the subject of regular updates designed to circumvent antivirus protections and enhance its data collection capabilities; BunnyLoader 2.0 was released by the conclusion of the aforementioned month.
In addition to integrating novel denial-of-service (DoS) functionalities to launch HTTP flood attacks against a specified URL, the third iteration of BunnyLoader divides its stealer, clipper, keylogger, and DoS modules into separate binaries.
“Operators of BunnyLoader are able to install these modules or use BunnyLoader’s default commands to load their preferred type of malware,” Unit 42 explained in detail.
Additionally, infection chains that deliver BunnyLoader have become progressively more complex, utilizing a dropper to loader known as PureCrypter that was hitherto undocumented. Subsequently, this dropper divides into two distinct branches.
In contrast to the first attack sequence, which drops BunnyLoader in order to disseminate the Meduza stealer malware, the second attack sequence drops the PureLogs loader in order to eventually deliver the PureLogs stealer.
“In the ever-changing ecosystem of MaaS, BunnyLoader keeps growing, exhibiting the necessity for threat actors to frequently revamp to evade detection,” Unit 42 investigators reported.
The development coincides with the ongoing utilization of SmokeLoader malware (also known as Dofoil or Sharik) to target the Ukrainian government and financial institutions by a suspected Russian cybercrime group dubbed UAC-006. Activity has been documented since 2011.
In an exhaustive report published by the State Cyber Protection Center (SCPC) of Ukraine, as many as 23 cycles of phishing attacks carrying SmokeLoader were documented between May and November 2023.
“Primarily a loader with added information-stealing capabilities, SmokeLoader has been linked to Russian cybercrime operations and is readily available on Russian cybercrime forums,” the unit reported.
In addition to BunnyLoader and SmokeLoader, two additional information stealer malware programs, Nikki Stealer and GlorySprout, have been introduced. Among these is the C++-based GlorySprout, which is being sold for a lifetime subscription fee of $300. The stealer, as reported by RussianPanda, is an exact replica of the Taurus Stealer.
“A notable difference is that GlorySprout, unlike Taurus Stealer, does not download additional DLL dependencies from C2 servers,” according to the investigator. “Additionally, GlorySprout lacks the Anti-VM feature that is present in Taurus Stealer.”
Subsequent to the aforementioned findings, a novel iteration of WhiteSnake Stealer was identified, which facilitates the pilferage of vital, sensitive information from compromised systems. “This updated version has eliminated the string decryption code and made the code simple to understand,” according to SonicWall.
About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blog, he’s also written for brands including CollegeDunia, Utsav Fashion, and NASSCOM. Naager entered the field of content in an unusual way. He began his career as an insurance sales executive, where he developed an interest in simplifying difficult concepts. He also combines this interest with a love of narrative, which makes him a good writer in the cybersecurity field. In the bottom line, he frequently writes for Craw Security.
READ MORE ARTICLE HERE