Apr 09, 2024NewsroomBotnet / Crypto Mining

A threat group of suspected Romanian origin called RUBYCARP has been observed maintaining a long-running botnet for carrying out crypto mining, distributed denial-of-service (DDoS), and phishing attacks.

The group, believed to be active for at least 10 years, employs the botnet for financial gain, Sysdig said in a report shared with The Hacker News.

“Its primary method of operation leverages a botnet deployed using a variety of public exploits and brute-force attacks,” the cloud security firm said. “This group communicates via public and private IRC networks.”

Evidence gathered so far suggests that RUBYCARP may have crossover with another threat cluster tracked by Albanian cybersecurity firm Alphatechs under the moniker Outlaw, which has a history of conducting crypto mining and brute-force attacks and has since pivoted to phishing and spear-phishing campaigns to cast a wide net.

“These phishing emails often lure victims into revealing sensitive information, such as login credentials or financial details,” security researcher Brenton Isufi said in a report published in late December 2023.

A notable aspect of RUBYCARP’s tradecraft is the use of a malware called ShellBot (aka PerlBot) to breach target environments. It has also been observed exploiting security flaws in the Laravel Framework (e.g., CVE-2021-3129), a technique also adopted by other threat actors like AndroxGh0st.

In a sign that the attackers are expanding their arsenal of initial access methods to expand the scale of the botnet, Sysdig said it discovered signs of WordPress sites being compromised using commonly used usernames and passwords.

“Once access is obtained, a backdoor is installed based on the popular Perl ShellBot,” the company said. “The victim’s server is then connected to an [Internet Relay Chat] server acting as command-and-control, and joins the larger botnet.”

The botnet is estimated to comprise over 600 hosts, with the IRC server (“chat.juicessh[.]pro”) created on May 1, 2023. It heavily relies on IRC for general communications as well as for managing its botnets and coordinating crypto mining campaigns.

Furthermore, members of the group – named juice_, Eugen, Catalin, MUIE, and Smecher, among others – have been found to communicate via an Undernet IRC channel called #cristi. Also put to use is a mass scanner tool to find new potential hosts.

RUBYCARP’s arrival on the cyber threat scene is not surprising given their ability to take advantage of the botnet to fuel diverse illicit income streams such as crypto mining and phishing operations to steal credit card numbers.

While it appears that the stolen credit card data is used to purchase attack infrastructure, there is also the possibility that the information could be monetized through other means by selling it in the cyber crime underground.

“These threat actors are also involved in the development and sale of cyber weapons, which isn’t very common,” Sysdig said. “They have a large arsenal of tools they have built up over the years, which gives them quite a range of flexibility when conducting their operations.

Mar 20, 2024NewsroomCybercrime / Financial Security

Cybersecurity researchers have discovered an updated variant of a stealer and malware loader called BunnyLoader that modularizes its various functions as well as allow it to evade detection.

“BunnyLoader is dynamically developing malware with the capability to steal information, credentials and cryptocurrency, as well as deliver additional malware to its victims,” Palo Alto Networks Unit 42 said in a report published last week.

The new version, dubbed BunnyLoader 3.0, was announced by its developer named Player (or Player_Bunny) on February 11, 2024, with rewritten modules for data theft, reduced payload size, and enhanced keylogging capabilities.

BunnyLoader was first documented by Zscaler ThreatLabz in September 2023, describing it as malware-as-a-service (MaaS) designed to harvest credentials and facilitate cryptocurrency theft. It was initially offered on a subscription basis for $250 per month.

The malware has since undergone frequent updates that are aimed at evading antivirus defenses as well as expanding on its data gathering functions, with BunnyLoader 2.0 released by the end of the same month.

The third generation of BunnyLoader goes a step further by not only incorporating new denial-of-service (DoS) features to mount HTTP flood attacks against a target URL, but also splitting its stealer, clipper, keylogger, and DoS modules into distinct binaries.

“Operators of BunnyLoader can choose to deploy these modules or use BunnyLoader’s built-in commands to load their choice of malware,” Unit 42 explained.

Infection chains delivering BunnyLoader have also become progressively more sophisticated, leveraging a previously undocumented dropper to loader PureCrypter, which then forks into two separate branches.

While one branch launches the PureLogs loader to ultimately deliver the PureLogs stealer, the second attack sequence drops BunnyLoader to distribute another stealer malware called Meduza.

“In the ever changing landscape of MaaS, BunnyLoader continues to evolve, demonstrating the need for threat actors to frequently retool to evade detection,” Unit 42 researchers said.

The development comes amid the continued use of SmokeLoader malware (aka Dofoil or Sharik) by a suspected Russian cybercrime crew called UAC-006 to target the Ukrainian government and financial entities. It’s known to be active since 2011.

As many as 23 phishing attack waves delivering SmokeLoader were recorded between May and November 2023, according to an exhaustive report published by Ukraine’s State Cyber Protection Center (SCPC).

“Primarily a loader with added information-stealing capabilities, SmokeLoader has been linked to Russian cybercrime operations and is readily available on Russian cybercrime forums,” Unit 42 said.

Adding to BunnyLoader and SmokeLoader is a new information stealer malware codenamed GlorySprout, which is developed in C++ and offered for $300 for a lifetime access. According to RussianPanda, the stealer is a clone of Taurus Stealer.

“A notable difference is that GlorySprout, unlike Taurus Stealer, does not download additional DLL dependencies from C2 servers,” the researcher said. “Additionally, GlorySprout lacks the Anti-VM feature that is present in Taurus Stealer.”

Jan 30, 2024NewsroomMalware / Cyber Threat

Threat hunters have identified a new campaign that delivers the ZLoader malware, resurfacing nearly two years after the botnet’s infrastructure was dismantled in April 2022.

A new variant of the malware is said to have been in development since September 2023, Zscaler ThreatLabz said in an analysis published this month.

“The new version of Zloader made significant changes to the loader module, which added RSA encryption, updated the domain generation algorithm, and is now compiled for 64-bit Windows operating systems for the first time,” researchers Santiago Vicente and Ismael Garcia Perez said.

ZLoader, also known by the names Terdot, DELoader, or Silent Night, is an offshoot of the Zeus banking trojan that first surfaced in 2015, before pivoting to functioning as a loader for next-stage payloads, including ransomware.

Typically distributed via phishing emails and malicious search engine ads, ZLoader suffered a huge blow after a group of companies led by Microsoft’s Digital Crimes Unit (DCU) seized control of 65 domains that were used to control and communicate with the infected hosts.

The latest versions of the malware, tracked as 2.1.6.0 and 2.1.7.0, incorporate junk code and string obfuscation to resist analysis efforts. Each ZLoader artifact is also expected to have a specific filename for it to be executed on the compromised host.

“This could evade malware sandboxes that rename sample files,” the researchers noted.

In addition to encrypting the static configuration using RC4 with a hard-coded alphanumeric key to conceal information related to the campaign name and the command-and-control (C2) servers, the malware has been observed relying on an updated version of the domain generation algorithm as a fallback measure in the event the primary C2 servers are inaccessible.

The backup communications method was first discovered in ZLoader version 1.1.22.0, which was propagated as part of phishing campaigns detected in March 2020.

“Zloader was a significant threat for many years and its comeback will likely result in new ransomware attacks,” the researchers said. “The operational takedown temporarily stopped the activity, but not the threat group behind it.”

The development comes as Red Canary warned of an increase in the volume of campaigns leveraging MSIX files to deliver malware such as NetSupport RAT, ZLoader, and FakeBat (aka EugenLoader), since July 2023, prompting Microsoft to disable the protocol handler by default in late December 2023.

It also follows the emergence of new stealer malware families such as Rage Stealer and Monster Stealer that are being used as an initial access pathway for information theft and as a launching pad for more severe cyber attacks.