Rewterz Threat Alert – Emergence of BunnyLoader: New Malware-as-a-Service Unveiled in the Cybercrime Underground – Active IOCs

Severity

High

Analysis Summary

Cybersecurity researchers have recently discovered a malware-as-a-service dubbed as BunnyLoader emerging as a new threat for sale in the cybercrime market. It is capable of executing remote commands, keylogging, and clipping.

“BunnyLoader provides various functionalities such as downloading and executing a second-stage payload, stealing browser credentials and system information, and much more,” the cybersecurity experts said.

The malware’s C/C++-based loader is advertised for $250 for a lifetime license and is said to be under frequent development since September 2023, when it first emerged. The creator continues to add new features for anti-sandbox and antivirus evading techniques.

One of the key features of BunnyLoader is its fileless loading that can make it hard for antivirus software to remove the malware. The buyers are able to use the C2 panel in order to monitor infection statistics, active tasks, stealer logs, and the total number of connected and inactive compromised devices.

The exact way of gaining initial access is not known currently. After installation, the malware becomes persistent using a Windows Registry change and checks for any active virtual machines or sandboxes. Finally, it sends out task requests to its remote server to get the desired response and start its malicious activity.

It uses Trojan Downloader tasks to execute the next-stage malware, runs keylogger and stealer to exfiltrate data from messaging apps, and a clipper to redirect cryptocurrency payments into the threat actor’s wallet. In the end, it contains all the harvested data into a ZIP file and sends it to the actor-controlled server.

This follows the discovery of a new Windows-based loader called MidgeDropper, and two infostealer strains named Agniane Stealer and The-Murk-Stealer. Cybercriminals are also using the features of existing MaaS platforms and upgrading them to be able to evade detection by security tools. This also gives rise to a new variant of RedLine Stealer, that is distributed using different ways and is constantly being developed.

The affordability of BunnyLoader, coupled with its swift development process, positions it as an attractive option for cybercriminals looking to capitalize on nascent malware projects at lower costs before their popularity surges, leading to higher prices.

Impact

• Sensitive Data Theft
• Financial Loss
• Credential Theft

Indicators of Compromise

IP

• 37.139.129.145

MD5

• dbf727e1effc3631ae634d95a0d88bf3
• bbf53c2f20ac95a3bc18ea7575f2344b
• 59ac3eacd67228850d5478fd3f18df78

SHA-256

• 454bd68088f17718527b300134cae3eed1c7db3ba7ed9e08d291ef7729229a79
• 90e6ebc879283382d8b62679351ee7e1aaf7e79c23dd1e462e840838feaa5e69
• 9b8efc369c7ff541f885c605c462c7d5a16acfbdfef3b28adc4e5418e890142f

SHA-1

• c02d2a18eca78b91b4c4e9e7a45c8d17c8c5bbca
• 059d27dbb4777ed1f17b2aa42c0e7c19ad29b304
• cdc11d2244321b850fad88a92e704a8ce2255ca7

URL

• http://37.139.129.145/Bunny/TaskHandler.php?CommandID=5&BotID=272148461

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets.
• Employ web filtering tools to block access to known malicious websites and domains.
• Enforce the principle of least privilege, ensuring that users and systems only have access to the resources and permissions necessary for their roles.
• Segment your network to limit lateral movement of malware in case of an infection.
• Use EDR solutions to detect and respond to suspicious activities on endpoints.
• Enforce strong password policies, implement multi-factor authentication (MFA), and use secure authentication methods.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a ransomware attack or data loss.
• Implement a SIEM system to centralize and analyze security event data from various sources for proactive threat detection.
• Conduct penetration testing and red team exercises to identify and remediate vulnerabilities proactively.