BunnnyLoader Malware Sold on the Dark Web
Security experts have recently uncovered a new malware-as-a-service (MaaS) threat known as BunnyLoader, which is being promoted for sale on the dark web. According to an analysis by researchers from Zscaler ThreatLabz, BunnyLoader offers a range of functions, including downloading and executing a secondary payload, stealing browser credentials and system information, among other capabilities.
BunnyLoader, which is coded in C/C++, is available for a one-time fee of $250, and it has been in active development since its debut on September 4, 2023. The malware continuously adds new features and improvements, including techniques to evade antivirus software and sandbox environments.
Recent updates on September 15 and September 27, 2023, resolved issues related to command-and-control (C2) functionality and addressed "critical" SQL injection vulnerabilities in the C2 panel that could have provided unauthorized access to the database.
BunnnyLoader Comes With Fileless Capabilities
One of BunnyLoader's notable features, highlighted by its author PLAYER_BUNNY (also known as PLAYER_BL), is its fileless loading capability, which makes it challenging for antivirus programs to remove the malicious code.
The C2 panel offers options for buyers to monitor active tasks, infection statistics, the total number of connected and inactive hosts, and logs related to stolen data. It also provides the ability to erase information and remotely control compromised machines.
The exact method used to distribute BunnyLoader initially remains unclear. Once installed on a system, the malware establishes persistence by making changes to the Windows Registry. It then performs checks to detect sandbox and virtual machine environments before carrying out malicious activities, such as sending task requests to a remote server and obtaining desired responses.
These activities encompass tasks like downloading and executing secondary malware, running keyloggers and data stealers to collect information from messaging apps, VPN clients, and web browsers, and redirecting cryptocurrency payments to profit from illicit transactions. The final step involves packaging the gathered data into a ZIP archive and transmitting it to a remote server.