Zscaler ThreatLabz has recently discovered a rising Malware-as-a-Service (MaaS) threat called “BunnyLoader.” This malicious tool, available on underground forums for $250, is actively being developed and quickly evolving with frequent feature updates and bug fixes.
BunnyLoader, primarily coded in C/C++, operates as a fileless loader, executing its malicious activities in memory. This technique poses a considerable challenge for cybersecurity experts as it makes detection more difficult. The malware offers a range of capabilities, including keylogging, clipboard monitoring for hijacking cryptocurrency wallet addresses, and remote command execution (RCE).
Since its initial release on September 4, 2023, BunnyLoader has undergone several iterations, each bringing enhancements and fixes. These updates aim to address bugs, introduce new functionalities, and adapt to thwart analysis attempts. Additionally, the malware now provides options for payload and stub purchases priced at $250 and $350, respectively.
Zscaler published an advisory detailing BunnyLoader’s operations, revealing that the core of its functions lies within the command-and-control (C2) panel. This panel oversees various tasks such as downloading and executing additional malware, keylogging, credential theft, clipboard manipulation for cryptocurrency theft, and remote command execution (RCE). It also offers the threat actor statistics, client tracking, and task management, granting extensive control over infected machines.
The technical analysis conducted by Zscaler’s security researchers uncovered BunnyLoader’s persistence mechanisms, anti-sandbox tactics, and interactions with C2 servers. The malware possesses the capability to identify virtual environments and utilizes various techniques to evade analysis.
Of notable concern is the malware’s keylogger, which captures keystrokes, as well as its stealer component, which exfiltrates a wide range of data, including information from web browsers, cryptocurrency wallets, and VPN clients.
The clipper module embedded within BunnyLoader is another alarming feature. It scans the victim’s clipboard for cryptocurrency addresses and replaces them with controlled wallet addresses, enabling attackers to divert cryptocurrency transactions.
Zscaler’s security researchers, Niraj Shivtarkar and Satyam Singh, expressed their commitment to monitoring these attacks to protect customers from BunnyLoader’s continuously evolving tactics and new features. They further expressed their dedication to ensuring the safety of their customers.
Definitions:
– Malware-as-a-Service (MaaS): A model where cybercriminals offer malware tools or services for financial gain.
– Fileless Loader: A type of malware that operates entirely in memory, making it difficult to detect and analyze.
– Command-and-Control (C2) Panel: A central server that manages and controls a network of compromised computers.
– Keylogger: A type of malware that records keystrokes entered by a computer user, potentially capturing sensitive information such as passwords and credit card details.
– Clipboard Monitoring: The process of tracking and capturing the contents of a computer’s clipboard, which can include copied information such as cryptocurrency wallet addresses.
– Remote Command Execution (RCE): The ability to execute commands on a remote system, enabling an attacker to control and manipulate it.
– Anti-Sandbox Tactics: Techniques employed by malware to detect if it is being run in a virtual environment (sandbox) used for analysis and subsequently evade analysis.
– Command-and-Control (C2) Servers: Servers used by cybercriminals to communicate with and control infected machines.
Sources: Not provided.