New BunnyLoader Malware Variant Surfaces with Modular Attack Features

New BunnyLoader Malware Variant Surfaces with Modular Attack Features

March 20, 2024 at 06:24AM

Cybersecurity researchers have identified the advanced BunnyLoader 3.0 malware, capable of stealing information and cryptocurrency, while delivering additional malware to victims. The malware, developed by Player, has seen frequent updates aimed at evading detection and expanding its functionalities. It is part of the evolving landscape of malware-as-a-service.

Based on the meeting notes dated Mar 20, 2024, the key takeaways are:

1. BunnyLoader 3.0, a dynamically developing malware, has been identified as capable of stealing information, credentials, and cryptocurrency. It also has the ability to deliver additional malware to its victims. The new version includes rewritten modules for data theft, reduced payload size, and enhanced keylogging capabilities.

2. BunnyLoader was initially documented in September 2023 as malware-as-a-service (MaaS) designed to harvest credentials and facilitate cryptocurrency theft. It has since undergone frequent updates to evade antivirus defenses and expand on its data gathering functions.

3. The third generation of BunnyLoader introduces new denial-of-service (DoS) features for mounting HTTP flood attacks against a target URL. Its various modules have been split into distinct binaries, allowing operators to choose which modules to deploy or to use BunnyLoader’s built-in commands to load their choice of malware.

4. Infection chains delivering BunnyLoader have become progressively more sophisticated, utilizing a previously undocumented dropper to loader PureCrypter, which then forks into two separate branches. One branch launches the PureLogs loader to deliver the PureLogs stealer, while the second branch drops BunnyLoader to distribute another stealer malware called Meduza.

5. SmokeLoader malware, used by a suspected Russian cybercrime crew called UAC-006 to target the Ukrainian government and financial entities, has been active since 2011. It primarily functions as a loader with added information-stealing capabilities, and has been linked to Russian cybercrime operations. 23 phishing attack waves delivering SmokeLoader were recorded between May and November 2023.

6. A new information stealer malware called GlorySprout, developed in C++ and offered for $300 for a lifetime access, has been identified as a clone of Taurus Stealer, with notable differences in its functionality.

For further exclusive content, follow on Twitter and LinkedIn.

Full Article