Cybersecurity researchers have recently uncovered a new malware-as-a-service (MaaS) threat known as BunnyLoader, which is being advertised for sale on the dark web.
According to an analysis by Zscaler ThreatLabz researchers Niraj Shivtarkar and Satyam Singh, BunnyLoader offers various functionalities, including the ability to download and execute a second-stage payload, steal browser credentials and system information, and more.
Among its capabilities are the ability to run remote commands on infected machines, capture keystrokes with a keylogger, and monitor the victim’s clipboard to replace cryptocurrency wallet addresses with controlled addresses.
BunnyLoader is a C/C++-based loader available for a lifetime license at a price of $250. It has been continuously developed since its debut on September 4, 2023, with regular updates incorporating anti-sandbox and antivirus evasion techniques.
Recent updates on September 15 and September 27, 2023, addressed command-and-control (C2) issues and critical SQL injection flaws in the C2 panel, which could have granted unauthorized access to the database.
One of BunnyLoader’s key selling points, highlighted by the author PLAYER_BUNNY (aka PLAYER_BL), is its fileless loading feature, which makes it challenging for antivirus software to remove the attacker’s malware.
The C2 panel provides buyers with options to monitor active tasks, infection statistics, the total number of connected and inactive hosts, and stealer logs. It also allows for information purging and remote control of compromised machines.
The exact method used to initially distribute BunnyLoader remains unclear. Once installed, the malware establishes persistence through a Windows Registry change and undergoes sandbox and virtual machine checks before executing its malicious behavior. It communicates with a remote server to send task requests and retrieve responses.
These tasks include downloading and executing next-stage malware, running keyloggers and stealers to collect data from messaging apps, VPN clients, and web browsers, and using clippers to redirect cryptocurrency payments for illicit transactions.
The collected data is then compressed into a ZIP archive and transmitted to the server.
Researchers note that BunnyLoader is continuously evolving its tactics and adding new features to carry out successful campaigns against its targets.
This discovery comes in the wake of another Windows-based loader called MidgeDropper, likely distributed through phishing emails, which delivers a second-stage payload from a remote server.
Additionally, two new information stealer malware strains, Agniane Stealer and The-Murk-Stealer, have been identified. Agniane Stealer is available as a monthly subscription for $50, while The-Murk-Stealer is hosted on GitHub for educational purposes but may be abused by threat actors.
Cybercriminals are also enhancing existing MaaS platforms, such as RedLine Stealer, by updating attack chains to evade detection by security tools. RedLine Stealer is distributed through various means and continuously modified to remain undetectable for extended periods.
These developments highlight the ongoing efforts of cybercriminals to create and improve malicious tools for their malicious intentions.
CyberSec84 | Cybersecurity news. 
Leave a comment