Threat Research

D3F@ck Loader, the New MaaS Loader

Esentire

eSentire’s Threat Response Unit analyses D3F@ck Loader, a Malware-as-a-Service loader distributed via Google Ads that uses EV certificates to evade security tools and drops Raccoon Stealer and Danabot. The write-up details the infection chain, C2 communications, and recommended defenses such as EDR, phishing awareness, and least-privilege practices. #D3FckLoader #RaccoonStealer #Kaseya #more_eggs #GoogleAds

Keypoints

  • The D3F@ck Loader is spread via sponsored Google Ads, leveraging malvertising to reach victims.
  • The loader uses EV code signing to bypass security warnings and trust mechanisms like SmartScreen.
  • Threat actors impersonate Calendly and Rufus with a malicious installer hosted on MediaFire.
  • Inno Setup and Pascal scripting are used, with custom Base64-encoded strings decoded at runtime.
  • The loader downloads payloads from a C2 (e.g., 125.exe) and eventually delivers a .NET dropper that injects Raccoon Stealer into RegAsm.exe.
  • TRU recommends EDR, phishing awareness training, least-privilege, and credential safeguards as mitigations.

MITRE Techniques

  • [T1189] Drive-by Compromise – Initial access through a malicious website accessed via sponsored Google Ads. “The initial infection vector involved a malicious website accessed via sponsored Google Ads.”
  • [T1116] Code Signing – Use of EV certificates to sign files, increasing trust and bypassing warnings. “EV certificates offer a higher level of assurance compared to standard certificates, as they need a thorough verification…”
  • [T1036] Masquerading – Impersonation of Calendly and Rufus applications to disguise the installer. “threat actors impersonating Calendly and Rufus applications with the malicious installer hosted on MediaFire.”
  • [T1105] Ingress Tool Transfer – Loader downloads payloads from C2 using curl and writes to url.txt. “retrieves a URL (attacker’s controlled C2) using Curl and redirects the content into a file named url.txt…”
  • [T1071.001] Web Protocols – C2 communications and final payload delivery over HTTP-like requests. “An example of a request sent to the C2 server is as follows using the User-Agent ‘Java/1.8.0_101’, where 116.202.188[.]155 is the C2 server hosting the final payload ‘125.exe’.”
  • [T1055] Process Injection – Final payload injects Raccoon Stealer into the RegAsm.exe process. “a .NET dropper that injects Raccoon Stealer into the RegAsm.exe process.”
  • [T1027] Obfuscated/Compressed Files and Information – Archive extraction step (85.zip) using tar. “cmd /c tar xf 85.zip”

Indicators of Compromise

  • [IP Address] Context – C2 hosts used by the loader: 116.202.188.155 and 194.147.35.251
  • [File Hash] Context – MD5 of the final payload 125.exe: a56f2d534631400ef294d321f8dbdfea
  • [File Name] Context – 125.exe (final payload), 85.zip (archive containing 125.exe)
  • [URL] Context – C2/download URL for final payload: hxxp://194.147.35[.]251/?v=3&event=ready&url=hxxp://116.202.188[.]155/auto/514170f7d05bc2fde4dfa2df54e33bca/125.exe

Read more: https://www.esentire.com/blog/d3f-ck-loader-the-new-maas-loader

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint