Cybersecurity scientists have identified an up to date variant of a stealer and malware loader termed BunnyLoader that modularizes its various functions as well as make it possible for it to evade detection.
“BunnyLoader is dynamically developing malware with the functionality to steal facts, qualifications and cryptocurrency, as perfectly as deliver added malware to its victims,” Palo Alto Networks Device 42 claimed in a report posted previous 7 days.
The new variation, dubbed BunnyLoader 3., was declared by its developer named Player (or Participant_Bunny) on February 11, 2024, with rewritten modules for info theft, decreased payload dimension, and increased keylogging capabilities.
BunnyLoader was very first documented by Zscaler ThreatLabz in September 2023, describing it as malware-as-a-support (MaaS) made to harvest qualifications and aid cryptocurrency theft. It was at first offered on a subscription basis for $250 for every month.
The malware has since gone through repeated updates that are aimed at evading antivirus defenses as perfectly as expanding on its knowledge accumulating features, with BunnyLoader 2. unveiled by the conclude of the exact month.
The 3rd generation of BunnyLoader goes a action additional by not only incorporating new denial-of-assistance (DoS) options to mount HTTP flood attacks in opposition to a concentrate on URL, but also splitting its stealer, clipper, keylogger, and DoS modules into distinctive binaries.
“Operators of BunnyLoader can pick to deploy these modules or use BunnyLoader’s developed-in instructions to load their preference of malware,” Device 42 spelled out.
An infection chains offering BunnyLoader have also come to be progressively more subtle, leveraging a earlier undocumented dropper to loader PureCrypter, which then forks into two different branches.
Although 1 branch launches the PureLogs loader to in the long run supply the PureLogs stealer, the next attack sequence drops BunnyLoader to distribute an additional stealer malware identified as Meduza.
“In the ever changing landscape of MaaS, BunnyLoader proceeds to evolve, demonstrating the want for threat actors to regularly retool to evade detection,” Unit 42 scientists stated.
The advancement will come amid the ongoing use of SmokeLoader malware (aka Dofoil or Sharik) by a suspected Russian cybercrime crew referred to as UAC-006 to goal the Ukrainian govt and economical entities. It is really known to be energetic considering the fact that 2011.
As quite a few as 23 phishing attack waves offering SmokeLoader were recorded among Might and November 2023, according to an exhaustive report published by Ukraine’s Condition Cyber Security Centre (SCPC).
“Largely a loader with extra info-thieving capabilities, SmokeLoader has been linked to Russian cybercrime functions and is easily obtainable on Russian cybercrime discussion boards,” Unit 42 stated.
Adding to BunnyLoader and SmokeLoader is a new data stealer malware codenamed GlorySprout, which is designed in C++ and provided for $300 for a lifetime access. In accordance to RussianPanda, the stealer is a clone of Taurus Stealer.
“A notable change is that GlorySprout, as opposed to Taurus Stealer, does not down load added DLL dependencies from C2 servers,” the researcher claimed. “Also, GlorySprout lacks the Anti-VM function that is current in Taurus Stealer.”
Observed this posting attention-grabbing? Abide by us on Twitter and LinkedIn to read through far more special written content we submit.
Some parts of this article are sourced from:
thehackernews.com