Cyber Security Threat Summary:
Security researchers discovered a new malware-as-a-service (MaaS) named 'BunnyLoader' advertised on multiple hacker forums as a fileless loader that can steal and replace the contents of the system clipboard. The malware is under rapid development, with updates adding new features and bug fixes. It can currently download and execute payloads, log keys, steal sensitive data and cryptocurrency, and execute remote commands. The first version of BunnyLoader emerged on September 4. Since then, its developers added more functions, like multiple anti-detection mechanisms and extra info-stealing capabilities, releasing a second major version towards the end of the month. Researchers at cloud security company Zscaler note that BunnyLoader is quickly becoming popular among cybercriminals as a feature-rich malware available for a low price” (Bleeping Computer, 2023).
Security Officer Comments:
BunnyLoader is currently being sold for $250 on cybercriminal forums. There is also a private stub version, which features stronger anti-analysis, in-memory injection, AV evasion, and additional mechanisms, advertised at $350. For its part, the loader comes with a command and control panel, which makes it easy for cybercriminals to set second-stage payloads, enable keylogging, steal credentials, siphon cryptocurrency by manipulating the clipboard, run commands remotely on targeted devices, and register infected users into the panel, allowing the actors to monitor their victims. BunnyLoader is also capable of detecting Sandbox environments and implements process hollowing to evade detection. As for data stolen by the malware which is collected from various browsers and applications, this information is compressed into a ZIP archive and exfiltrated to a C2 server controlled by the actors.
Although the infection vector for BunnyLoader is unclear, malware like this is typically distributed via phishing emails. As such, users should adhere to the following recommendations:
- Do not open emails or download software from untrusted sources
- Do not click on links or attachments in emails that come from unknown senders
- Do not supply passwords, personal, or financial information via email to anyone (sensitive information is also used for double extortion)
- Always verify the email sender's email address, name, and domain
- Backup important files frequently and store them separately from the main system
- Protect devices using antivirus, anti-spam and anti-spyware software
- Report phishing emails to the appropriate security or I.T. staff immediately