Threat Research

Cyble – Citrix Users At Risk: AresLoader Spreading Through Disguised GitLab Repo

Securonix

CRIL researchers describe AresLoader, a multiclass loader used to spread LummaStealer and IcedID via a disguised GitLab repo, targeting Citrix users. The malware uses multi-stage delivery, dynamic API resolution, and various anti-analysis techniques to evade detection, while connecting to C2 servers and downloading payloads. #AresLoader #Citrix #GitLab #LummaStealer #IcedID #AiDLocker #CRIL

Keypoints

  • AresLoader is a C-written loader used to propagate multiple malware families under a MaaS model.
  • The loader executes in stages, with embedded code that is injected in later stages and inconsistent extraction/injection across binaries to avoid detection.
  • It is associated with actors tied to AiD Locker ransomware and possible links to a Russian hacktivist group.
  • A disguised GitLab repository named citrixproject distributes AresLoader and downloads LummaStealer and IcedID payloads from remote endpoints.
  • The loader uses techniques such as creating a hidden window, fake functions, dynamic API resolution, and APC-based code injection to hinder analysis.
  • It contacts a C2 infrastructure, registers with a server via POST, and downloads final payloads after collecting system data and the public IP.

MITRE Techniques

  • [T1566] Phishing – ‘GitLab repository located at hxxps[:]//gitlab.com/citrixchat-project/citrixproject/ distributing the AresLoader malware.’
  • [T1204] User Execution – ‘the TA… launch of a legitimate file before deploying a malicious payload.’
  • [T1027] Obfuscated Files or Information – ‘loader code’s extraction and injection methods are inconsistent across every binary.’
  • [T1055] Process Injection – ‘and inject it into memory.’
  • [T1027.007] Dynamic API Resolution – ‘This malware employs the API hashing technique to complicate detection and analysis’ and ‘The loader retrieves the address of the following API functions: pLdrFindResource_U, pLdrAccessResource, pNtAllocateVirtualMemory, pNtQueueApcThread, pNtTestAlert.’
  • [T1016] System Network Configuration Discovery – ‘the Ares loader obtains the public IP address of the infected system by sending a request to https://ipinfo.io/ip.’
  • [T1071] Application Layer Protocol – ‘The malware makes GET requests to the following URLs’ via WinINet.
  • [T1105] Ingress Tool Transfer – ‘GET requests to … manager/payload’ and ‘Downloads LummaStealer’ and ‘Downloads IcedID’.

Indicators of Compromise

  • [MD5] AresLoader – df79ba45a9c6bf187697fe7f3e2dd7bc
  • [SHA1] AresLoader – f064b3d1779692c1928869e6b682d0682e0d987d
  • [Sha256] AresLoader – 867c574602105903116dca0a8b826e474a555980a193524d1aa7f15aecbc9ae4
  • [URL] C2 – hxxp[:]//193.233.134.57/manager/payload, hxxp[:]//193.233.134[.]57/manager/legit
  • [IP] C2 – 45.80.69.193, 193.168.49.8, 193.233.134.57
  • [MD5] AresLoader – 67029b569ad726b1b87cc62760472cc8
  • [SHA1] AresLoader – 0d43665fd941533cdd3edbf71fd3f975bcd53967
  • [Sha256] AresLoader – 169c70fc77814578aa83b3a666eb674c49e60ac6964b040de9b1e51c5966bf56
  • [URL] GitLab repo – hxxps[:]//gitlab.com/citrixchat-project/citrixproject/
  • [MD5] AresLoader – ffc047f271e2db11338917aecb1f890b
  • [SHA1] AresLoader – 92d00383cc03d165bb4a2e55fdcedc0dd184450a
  • [Sha256] AresLoader – 69fd40c6c06cb719050c36234ba5117d275643d8aff72596167e9c2fee608cfb

Read more: https://blog.cyble.com/2023/04/28/citrix-users-at-risk-aresloader-spreading-through-disguised-gitlab-repo/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint