eSentire’s Threat Response Unit (TRU) investigates the D3F@ck Loader, tracing its origins to a developer known as Sergei Panteleevich and detailing its use of EV certificates to bypass security measures and distribute various malware payloads. The TRU team actively revokes certificates and monitors related threats to hinder the loader’s operations. #D3FckLoader #SergeiPanteleevich
Keypoints
- eSentire operates 24/7 Security Operations Centers with elite threat hunters.
- The D3F@ck Loader is linked to a developer alias Sergei Panteleevich.
- Sergei promotes operations on Telegram and Russian hacking forums.
- D3F@ck Loader uses EV certificates to bypass security and SmartScreen checks.
- The loader has delivered malware such as Raccoon Stealer and MetaStealer.
- eSentire’s TRU actively revokes EV certificates to disrupt operations and force changes.
- TRU outlines detection and response strategies to combat D3F@ck Loader threats.
MITRE Techniques
- [T1189] Drive-by Compromise – Brief description of how it was used. Quote: ‘Drive-by Compromise: D3F@ck Loader mainly delivers their payloads via Malvertising.’
- [T1204] User Execution – Brief description of how it was used. Quote: ‘User Execution: The loader tricks the user into executing a malicious file, often disguised as trusted software or adult content with valid EV certificates.’
- [T1057] Process Discovery – Brief description of how it was used. Quote: ‘Process Discovery: The loader checks the running processes related to virtual machines.’
- [T1562.001] Disable or Modify Tools – Brief description of how it was used. Quote: ‘Disable or Modify Tools: Modifies security settings during installation to disable Windows Defender and avoid detection. Fraudulently obtained EV certificates are used to bypass SmartScreen.’
- [T1553] Subvert Trust Controls – Brief description of how it was used. Quote: ‘Fraudulently obtained EV certificates are used to bypass SmartScreen.’
- [T1102.001] Web Service: Dead Drop Resolver – Brief description of how it was used. Quote: ‘Web Service: Dead Drop Resolver: Uses legitimate platforms like Telegram and Steam to host C2 IPs to facilitate command and control.’
Indicators of Compromise
- [Domain] C2 domain – jilinebyli.top, and Telegram/Discord/Steam-based DDR channels (e.g., Telegram channel: t.me/+UfHrjVyCLZ03ODYy)
- [URL] Pastebin-based payload retrieval – referenced as a source for final payloads
- [URL] Any.run sandbox reference for C2 communications – https://app.any.run/tasks/9a94e1d8-8099-476f-a192-f006f14d0db8
- [MD5] Initial payload hash – 47bc9ef09f431cd1dc92840a19fe2158
- [MD5] 7zip tool inside installer – 8f57948e69c82bf98704f129c5460576
- [MD5] Elevation helper – 7f3b7c1c476a6ddf0bc2acabc7ffe3be
- [MD5] Java-related payload – 429d476259582313336a7eb6895362df
- [MD5] Main loader payload – 9231458f16389c65c76ad4b90cfe7504
- [MD5] Additional component – 5cf2e80ac2a7f7fa24f74966d3ec904f
- [File] dn-compiled-module.jar – main payload path inside the Java-based component
- [File] 125.exe, Setup.exe, elevate.exe, jre.7z, lib.7z – embedded files inside Inno Setup installer
- [File] and 2 more hashes – other payloads referenced in the Inno Setup install_script.iss
- [File/Path] C:Program FilesWindows NT – drop path for final payloads
- [File/Path] C:UsersnestoOneDriveРабочий столИСХОДЫWORKWORKDEVELLauncherAutoБез прогресса — С ПИНГОМsrcappformsMainForm.php – example path observed in code
- [VM] VM process names – VboxService.exe, Vmwareuser.exe, Vmtoolsd.exe (anti-VM checks)
- [Directory] ZIP/password-protected archives – jre.7z, lib.7z used to bundle Java dependencies
- [URL] Telegram DDR channel – hxxps://t.me/+UfHrjVyCLZ03ODYy
- [Certificate] EV certificates – LLC Kama Lubricant Company, Ayog Tech Ltd, Primalspeed Ltd, Eleventh Edition Ltd, Tenet Tech Ltd, Clicksat Ltd, MAD PANDA Ltd, Joystery Ltd
Read more: https://www.esentire.com/blog/exploring-the-d3f-ck-malware-as-a-service-loader