Hackers Use New .NET Loader Malware to Deliver Wide Range of Payloads

by Esmeralda McKenzie
Hackers Use New .NET Loader Malware to Deliver Wide Range of Payloads

Hackers Use New .NET Loader Malware to Deliver Wide Range of Payloads

Hackers Use New .NET Loader Malware to Bring Wide Range of Payloads

An unrecorded .NET Loader became identified all the draw by means of routine menace hunting that downloads, decrypts, and executes a wide sequence of malicious payloads.

Multiple menace actors extensively disbursed this novel loader in early June 2023 by means of the next mediums:-

  • Malicious phishing emails
  • Incorrect YouTube movies
  • Incorrect web sites mimicking expert web sites
AuhIEc1VHlFjtY4KmI4R 4UJ7ZprWenEqZujTFASmfhoQRj0PfHvWwT2XkAcFZEDA6sZA75FEAfJSzvS4AAhyhlaRYx6X0VfDVp3fqWLdGh1zNuVDvQSmdg1TDPm 9wnofI869Djp0VofYHbBBscA
Ditribution mediums (Source – Sekoia)

The cybersecurity researchers at Sekoia identified this novel .NET loader and named this newly found loader malware “CustomerLoader.”

Safety analysts appointed this title attributable to its Uncover and Shield watch over (C2) communications containing the time duration “customer” and its loading functionalities.

.NET Loader to Bring Payloads

CustomerLoader completely retrieves dotRunpeX samples, which in flip insist a various fluctuate of malware families luxuriate in:-

  • Infostealers
  • Faraway Entry Trojans (RAT)
  • Commodity ransomware

In March 2023, the safety experts at Checkpoint publicly documented dotRunpeX as a .NET injector that is equipped with extra than one anti-prognosis ideas.

The affiliation between CustomerLoader and an undisclosed Loader-as-a-Provider is extremely possible.

The dotRunpeX developer might just contain added CustomerLoader as a stage sooner than the injector is performed.

frQ5CsBqvZ8Tm0RzZZOMhgg298FqMuSOB Fq4jZKzFW4jbul8RuUZ6K9g3mK4Yb1VhvnfCxnIMNM VwqTNcmaQaeGfB2A3MmqFORus2hMXz94roOzEJe7OIOPWom n61VSn9LMfXSNuZfrBfh3rU wc
An infection chain (Source – Sekoia)

CustomerLoader samples make explain of extra than one code obfuscation ideas, disguising themselves as expert apps. This slows down and extends the prognosis, possible attributable to simple-to-explain .NET code obfuscation instruments.

Alternatively, there are various such instruments that are accessible by means of NotPrab/.NET-Obfuscator GitHub repository, even for non-experts as effectively.

CustomerLoader makes explain of AES in ECB mode for string obfuscation, with the decryption key kept in plaintext for the duration of the PE.

CustomerLoader evades detection by patching the AmsiScanBuffer unbiased in amsi.dll, returning AMSI_RESULT_CLEAN to bypass antivirus. This marks the buffer as neat and permits the stable execution of malicious payloads.

JqL8g 0P4 VBWDYqX hTiq GWzaLew6BIHFIK4hF0e8wudjtPTEFkzzJjQhl5pCvHbsPNzPPRBu69fErTDUvuWID3Rx8IK9tXUSs5sfVo49uhQIYerEGvt8QQXGnuIAeQIWcWW QuUWCD7Lzvs9Qn0s
Feature that patches AmsiScanBuffer (Source – Sekoia)

The loader executes the consumer payload following this project:-

  • From an embedded URL, an HTML web page is downloaded by the CustomerLoader.
  • An encoded base64 string is extracted the utilization of regex: “/!!!(.*?)!!!/”
  • Then the base64 string is decoded and decrypted by it.
  • Then the payload is performed in memory the utilization of the reflective code methodology.

The fashion of code reflection is obfuscated by shuffling, enabling the loading of .NET capabilities the utilization of the next unbiased:-

  • NewLateBinding.LateGet

The encrypted payloads are retrieved by the CustomerLoader samples from their C2 server, with each payload linked to a obvious customer ID that is hosted at:-

  • hxxp://$C2/customer/$ID

The CustomerLoader samples had been directly connected to C2 server IP 5.42.94[.]169 by means of HTTP between  31 Can also just and 20 June 2023. While the C2 server switched to the domain kyliansuperm92139124[.]sbs and HTTPS, stable by Cloudflare on 20 June 2023.

The domain acts as a proxy, whereas the backend server stays 5.42.94[.]169. This C2 server adjustments possible goals to evade community detections and hinder security researchers’ prognosis, in step with Sekoia.io analysts.

Malware Families Distributed

Here under now we contain talked about the entire malware families that are disbursed by CustomerLoader:-

  • Redline
  • Formbook
  • Vidar
  • Stealc
  • Raccoon
  • Lumma
  • StormKitty
  • AgentTesla
  • DarkCloud
  • Kraken Keylogger
  • AsyncRAT
  • Quasar
  • Remcos
  • XWorm
  • njRAT
  • WarzoneRAT
  • BitRAT
  • NanoCore
  • SectopRAT
  • LgoogLoader
  • Amadey
  • Variant of WannaCry
  • TZW ransomware

CustomerLoader distributes the next malware families, each associated with a obvious various of queer botnets:-

  • Redline: over 80 botnets
  • Quasar: Forty five botnets
  • Vidar: 9 botnets
  • Remcos: 6 botnets
  • Stealc: 4 botnets
  • Formbook: 4 botnets

CustomerLoader, when mixed with the dotRunpeX injector, enhances compromise rates by reducing the detection of the final payload, despite lacking superior ideas.

IoCs

  • hxxp://smartmaster.com[.]my/48E003A01/48E003A01.7z: Payload transport URL
  • d40af29bbc4ff1ea1827871711e5bfa3470d59723dd8ea29d2b19f5239e509e9: Archive
  • 3fb66e93d12abd992e94244ac7464474d0ff9156811a76a29a76dec0aa910f82: CustomerLoader payload
  • hxxp://5.42.94[.]169/customer/735: CustomerLoader’s C2 URL
  • hxxps://telegra[.]ph/Stout-Version-06-03-2: Malicious redirection webpage
  • hxxps://tinyurl[.]com/bdz2uchr: Shortened URL redirecting to the payload transport URL
  • hxxps://www.mediafire[.]com/file/nnamjnckj7h80xz/v2.4_2023.rar/file: Payload transport URLs
  • hxxps://www.mediafire[.]com/file/lgoql94feiic0x7/v2.5_2023.rar/file: Payload transport URLs
  • 65e3b326ace2ec3121f17da6f94291fdaf13fa3900dc8d997fbbf05365dd518f: Archive
  • 7ff5a77d6f6b5f1801277d941047757fa6fec7070d7d4a8813173476e9965ffc: Archive
  • c05c7ec4570bfc44e87f6e6efc83643b47a378bb088c53da4c5ecf7b93194dc6: CustomerLoader payload
  • hxxp://5.42.94[.]169/customer/770: CustomerLoader’s C2 URL
  • Forty five.9.74[.]99: Raccoon stealer’s C2
  • 5.42.65[.]69: Raccoon stealer’s C2
  • hxxps://slackmessenger[.]keep/: Malicious webpage impersonating Slack web sites
  • hxxps://slackmessenger[.]pw/slack.zip: Payload transport
  • 695f138dd517ded4dd6fcd57761902a5bcc9dd1da53482e94d70ceb720092ae6: Archive
  • b8f5519f7d66e7940e92f49c9f5f0cac0ae12cc9c9072c5308475bd5d093cdca: CustomerLoader payload
  • hxxp://5.42.94[.]169/customer/798: CustomerLoader’s C2 URL
  • missunno[.]com:80: Redline stealer’s C2

Source credit : cybersecuritynews.com

Related Posts