New Stealthy BabbleLoader Malware Spotted Delivering WhiteSnake and Meduza Stealers

New Stealthy BabbleLoader Malware Spotted Delivering WhiteSnake and Meduza Stealers

November 18, 2024 at 12:57PM

Researchers have identified a new malware loader called BabbleLoader, designed to evade detection and deliver information stealers like WhiteSnake and Meduza. It employs various evasion techniques, including runtime resolution and unique code for each sample, complicating analysis. This loader highlights the growing complexity of malware delivery methods.

**Meeting Takeaways – November 18, 2024 – Ravie Lakshmanan: Threat Intelligence / Ransomware**

1. **Introduction of BabbleLoader:**
– A new evasive malware loader named BabbleLoader has been identified.
– It is primarily used to deliver information stealer families such as WhiteSnake and Meduza.

2. **Loader Characteristics:**
– BabbleLoader employs advanced defensive mechanisms designed to bypass antivirus and sandbox environments.
– The loader uses various evasion techniques, including:
– Junk code and metamorphic transformations.
– Dynamic function resolution at runtime to counter static analysis.

3. **Target Demographics:**
– Campaigns utilize BabbleLoader to target both English and Russian-speaking users.
– Specific focus on individuals seeking cracked software and professionals in finance and administration (masquerading as accounting software).

4. **Trend of Loader Usage:**
– Loaders have become a common initial stage in cyber attacks.
– Other notable loader families mentioned include Dolphin Loader, Emmenhtal, FakeBat, and Hijack Loader.

5. **Unique Features of BabbleLoader:**
– Each instance of BabbleLoader has unique strings, metadata, code structures, hashes, and encryption.
– The variations compel AI detection models to continuously adapt, resulting in potential missed detections or false positives.

6. **Malware Campaign Overview:**
– Rapid7 reported on a new LodaRAT variant that can steal sensitive information from browsers like Microsoft Edge and Brave, and perform various malicious activities.
– Recent distributions employ techniques facilitated by Donut loader and Cobalt Strike.
– The relationship between LodaRAT and other malware families (e.g., AsyncRAT, Remcos, XWorm) remains unclear.

7. **Additional Malware Discoveries:**
– Introduction of Mr.Skeleton RAT, based on njRAT, featuring remote access and control capabilities, including file manipulation and keylogging.

**Action Items:**
– Stay updated on emerging malware threats, particularly BabbleLoader and its implications for cybersecurity.
– Enhance awareness regarding loader techniques and their evolving nature in the threat landscape.
– Consider strategies for improving detection methods against these sophisticated malware loaders.

Full Article