There's a dangerous new malware-as-a-service on the rise - here's what you need to know

News
By Sead Fadilpašić
published

BunnyLoader can do a lot of damage, so watch out

Magnifying glass enlarging the word 'malware' in computer machine code
(Image credit: Shutterstock)

A brand new malware-as-a-service (MaaS), capable of a wide range of malicious actions, is being offered on the dark web, researchers have found.

Cybersecurity experts from Zscaler ThreatLabz observed a MaaS called BunnyLoader being offered online for $250 (lifetime license). 

After further analysis, the researchers discovered all of the things BunnyLoader can do - from deploying stage-two malware to stealing passwords stored in browsers to grabbing system information. Furthermore, BunnyLoader can run remote commands on the infected endpoint, capture keystrokes via an integrated keylogger, and monitor the clipboard for cryptocurrency wallets.

Reader Offer: $50 Amazon gift card with demo

Reader Offer: $50 Amazon gift card with demo
Perimeter 81's Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?) 

C2 panel features

If a victim decides to send a cryptocurrency payment from one address to another, they’d usually copy and paste the recipient’s address in the app, mostly because wallet addresses are a long string of random letters and numbers. When malware monitors the clipboard, it can detect when the victim copies a wallet address and can replace the contents in the clipboard with an address belonging to the attacker. Thus, when a payment is initiated, the funds go to the attacker’s account.

BunnyLoader was written in C/C++ by a threat actor named PLAYER_BUNNY (aka PLAYER_BL). It is under active development since early September this year, allegedly getting new features and enhancements every day. Some of the newer ungraded include anti-sandbox and antivirus evasion techniques, made possible via a fileless loading feature. 

Hackers who buy a license can also expect a C2 panel to monitor all active tasks, keep track of infection statistics, track connected and inactive hosts, and more.

The only thing that remains a mystery with BunnyLoader is how it makes it to the victim’s endpoints, as the researchers were unable to discover any initial access mechanisms. 

"BunnyLoader is a new MaaS threat that is continuously evolving their tactics and adding new features to carry out successful campaigns against their targets," the researchers concluded.

Via TheHackerNews

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.