BunnyLoader: New Malware-as-a-Service Threat Emerges in the Cybercrime Underground
Cybersecurity experts have discovered yet another malware-as-a-service (MaaS) threat called BunnyLoader that’s being advertised for sale on the cybercrime underground.
“BunnyLoader provides various functionalities such as downloading and executing a second-stage payload, stealing browser credentials and system information, and much more,” Zscaler ThreatLabz researchers Niraj Shivtarkar and Satyam Singh said in an analysis published last week.
Among its other capabilities include running remote commands on the infected machine, a keylogger to capture keystrokes, and a clipper functionality to monitor the victim’s clipboard and replace content matching cryptocurrency wallet addresses with actor-controlled addresses.
A C/C++-based loader offered for $250 for a lifetime license, the malware is said to have been under continuous development since its debut on September 4, 2023, with new features and enhancements that incorporate anti-sandbox and antivirus evasion techniques.
Also fixed as part of updates released on September 15 and September 27, 2023, are issues with command-and-control (C2) as well as “critical” SQL injection flaws in the C2 panel that would have granted access to the database.
A key selling point of BunnyLoader, according to the author PLAYER_BUNNY (aka PLAYER_BL), is its fileless loading feature that “makes it difficult for the antiviruses to remove the attackers malware.”
The C2 panel provides options for buyers to monitor active tasks, infection statistics, the total number of connected and inactive hosts, and stealer logs. It also provides the ability to purge information and remotely control the compromised machines.
The exact initial access mechanism used to distribute BunnyLoader is currently unclear. Once installed, the malware sets up persistence via a Windows Registry change and performs a series of sandbox and virtual machine checks before activating its malicious behavior by sending task requests to the remote server and fetching the desired responses.
This includes Trojan Downloader tasks to download and execute next-stage malware, Intruder to run keylogger and stealer for harvesting data from messaging apps, VPN clients, and web browsers, and Clipper to redirect cryptocurrency payments and profit off illicit transactions.
The final step entails encapsulating all the collected data into a ZIP archive and transmitting it to the server.
“BunnyLoader is a new MaaS threat that is continuously evolving their tactics and adding new features to carry out successful campaigns against their targets,” the researchers said.
The findings follow the discovery of another Windows-based loader called MidgeDropper that is likely distributed via phishing emails to deliver an unnamed second-stage payload from a remote server.
The development also comes amid the debut of two new information stealer malware strains named Agniane Stealer and The-Murk-Stealer that supports the theft of a wide range of information from breached endpoints.
While Agniane Stealer is available as a monthly subscription for $50, the latter is available on GitHub for allegedly educational purposes, making it ripe for abuse by other threat actors. Some of the other stealers hosted on GitHub include Stealerium, Impost3r, Blank-Grabber, Nivistealer, Creal-stealer, and cstealer.
“While claiming the tool is for educational purposes, the author’s contradiction arises when urging not to upload the final binary to platforms like VirusTotal (VT), where antivirus solutions can detect its signature,” Cyfirma said.
It’s not just new malware services, as cybercriminals are also augmenting features of existing MaaS platforms with updated attack chains to evade detection by security tools. This encompasses a variant of the RedLine Stealer that employs a Windows Batch script to launch the malware.
“[RedLine Stealer] is being distributed by various means and threat actors are continuously making changes to the techniques to make it undetectable for an extended period of time,” the cybersecurity firm said. “It is also being sold on the underground forums and encouraging cybercriminals to accomplish their evil intentions.”