A new malware-as-a-service option for cybercriminals known as BunnyLoader was released on September 4th, 2023. It has since seen a variety of updates and has reached version 2.0. As one might expect from any number of the “as a service” monikers, malware-as-a-service is a business model for cybercriminals. The business model is such that malware and its associated infrastructure are provided to customers for a fee. This can also be seen as a variation to the software-as-a-service model.
Those who are in charge and provide this service to customers are generally referred to as “operators.” These are typically organized groups, some of which can have very clearly defined internal roles, such as malware developer, system admin, or technical support. The actual service that customers buy is often known as an “affiliate program,” and a purchase can be made in a variety of ways. Malware may be offered for a one-time fee, there could be a monthly or yearly subscription, or there could even be an agreement between the operator and customer for profit sharing.
A recent Kapersky analysis indicates that there are many types of malware distributed by malware-as-a-service operators. The type that seems to be distributed most often include ransomware like Conti or Lockbit, which are intended to block access to user data and demands a fee for reinstatement. Another group is infostealers like RedLine or Vidar, which are malware that collects user data and sends it to attackers. Other types include loaders like SmokeLoader, which downloads additional malicious software onto a user’s system, and backdoors like Warzone RAT, which is malware that gives attackers remote access to a system.
Zscaler ThreatLabz discovered listings on various forums in early September advertising a new malware called BunnyLoader. These listings were created by a user named PLAYER_BUNNY, who also goes by PLAYER_BL. The initial 1.0 version of BunnyLoader was released on September 4th, with the cost being $250 for lifetime access. In its current state, for $350, customers can get a “private stub” version, which is said to have stronger anti-analysis, in-memory injection, antivirus evasion and additional persistence mechanisms.
The software was written in C/C++ and has been under extremely rapid development since release, as we’ll be covering here shortly. At the time of release, BunnyLoader boasted a variety of features like fileless loading, which means that downloads and execution of later stages take place in memory, info stealing and clipping, remote command execution, anti-analysis features, and a web admin panel for reviewing logs, clients, and active tasks.
As mentioned previously, BunnyLoader has gone through some very rapid development. At the time of writing, BunnyLoader has received 10 updates since its release and is currently on version 2.0. These updates cover a number of bases, as we can see from the list provided below. To summarize, we can see that the various updates have been addressing bugs, providing updates to the info stealing capabilities, adding anti-sandbox functionality, and improving antivirus evasion.
(Source: BleepingComputer)
In terms of overall features, BunnyLoader has a lot to offer. Functionality is divided into four primary areas. The first area is the trojan downloader, which enables customers to download and /or execute second-stage payloads. The next area is intrusion, which enables customers to run a keylogger or run an info stealer. The info stealing module is able to steal data stored in web browsers, crypto wallets, VPNs, messaging apps, and the like. Stolen data is exfiltrated to a command-and-control server, as one would expect.
The third task area is clipping, which is intended for scanning a user’s clipboard for content that might match cryptocurrency wallet addresses, which can then be manipulated from the control panel. Targeted cryptocurrencies include Bitcoin, Monero, Ethereum, and Dogecoin, among a few others. The last task area is remote command execution, which enables remote commands to be run on user’s systems from the BunnyLoader control panel.
To summarize, malware-as-a-service is a business model for cybercriminals such that customers are offered access to malware and any associated infrastructure for a fee. The types of malware that can be distributed in this way will typically include ransomware, infostealers, loaders, backdoors, or in the case of BunnyLoader, perhaps all of the above. The BunnyLoader malware-as-a-service was discovered in early September and version 1.0 released on September 4th. It has since then gone through quite a bit of development and currently sits at version 2.0 at the time of writing. It boasts a large number of features like detection and evasion of antivirus software like 360 Total Security or Comodo, and detection of sandbox environments like Sandboxie or Docker. In terms of malicious tasks, it provides a number of avenues for its customers like deploying secondary payloads, running keyloggers or info stealers, clipboard scanning for stealing cryptocurrency data, and simply enabling remote command execution.
[1]: https://encyclopedia.kaspersky.com/glossary/malware-as-a-service-maas/
[2]: https://securelist.com/malware-as-a-service-market/109980/
[3]: https://www.zscaler.com/blogs/security-research/bunnyloader-newest-malware-service
[4]: https://thehackernews.com/2023/10/bunnyloader-new-malware-as-service.html
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Comments