A newly emerged malware-as-a-service (MaaS), capable of executing a wide array of malicious activities, has been identified on the dark web, raising significant concerns among cybersecurity experts.
Researchers from Zscaler ThreatLabz recently observed a MaaS titled BunnyLoader available for purchase online, with a lifetime license priced at $250.
Upon conducting a detailed analysis, the researchers unveiled the full scope of BunnyLoader’s capabilities. This malicious service is capable of deploying stage-two malware, pilfering stored browser passwords, extracting system information, executing remote commands on compromised endpoints, capturing keystrokes via a built-in keylogger, and monitoring the clipboard for cryptocurrency wallet addresses.
One particularly insidious feature of BunnyLoader involves its monitoring of the clipboard. When a victim intends to send a cryptocurrency payment, they typically copy and paste the recipient’s wallet address due to the complexity of these addresses. Malware that monitors the clipboard can detect when the victim copies a wallet address and surreptitiously replace it with an address controlled by the attacker. Consequently, any initiated payment directs funds to the attacker’s account.
BunnyLoader is written in C/C++ and attributed to a threat actor known as PLAYER_BUNNY, also known as PLAYER_BL. Notably, it has been actively developed since early September of the current year, with new features and enhancements continually integrated into the service. Some of the recent updates include advanced anti-sandbox and antivirus evasion techniques facilitated through a fileless loading feature.
Purchasers of a BunnyLoader license gain access to a command and control (C2) panel that enables them to monitor active tasks, track infection statistics, oversee connected and inactive host devices, and more.
One aspect that remains elusive is the initial access mechanism employed by BunnyLoader to infiltrate victims’ endpoints. The researchers have yet to uncover this particular method.
In conclusion, BunnyLoader represents a new and evolving MaaS threat that continually adapts its tactics and adds fresh features to facilitate successful campaigns against its targets. Cybersecurity professionals and organizations are advised to remain vigilant and stay informed about emerging threats, as threats like BunnyLoader pose substantial risks to both individual users and businesses alike.
