Executive Summary:
A new Malware-as-a-Service (MaaS)threat called BunnyLoader can download and run a second-stage payload, steal system data, and steal browser credentials. It records keystrokes and keeps track of the victim’s clipboard using a keylogger and clipper.
After that, the information is compressed into a ZIP package and sent to a command-and-control server. Introduction to the Malware:
Since September, 2023, BunnyLoader, a fileless malware-as-a-service (MaaS), has been for sale on hacker forums. It can steal sensitive data like usernames and passwords while avoiding detection by anti-virus software. It has the ability to download and run a second-stage payload, giving it the ability to carry out further harmful operations. BunnyLoader may transport data from messaging apps, cryptocurrency wallets, VPNs, and web browsers to the attacker’s command and control server by compressing the data into a ZIP package. Due to its low cost, fraudsters are starting to use it more frequently.
It steals confidential data while avoiding detection by antivirus programs. It has the ability to download and run a second-stage payload, giving it the ability to carry out further harmful operations. In order to compress the data into a ZIP archive, BunnyLoader can take it from chat apps, bitcoin wallets, VPNs, and web browsers. It supports writing payloads to the disk before running them and uses the process hollowing approach to run them from system memory. During its attack process, BunnyLoader employs a variety of anti-sandbox tactics. It also provides a web interface for viewing stealer logs, the total number of clients, and the number of open tasks. Information cleansing and remote control of infected workstations are also made possible. On several forums, BunnyLoader is offered for $250 for a lifetime license.
Malware Spread:
This malware infiltrates systems through various methods, including social engineering, infected email attachments, malicious online advertisements, and software cracks. Once installed, it creates a new value in the Windows Registry for persistence, hides its window, sets a mutex, and registers the victim into the control panel. BunnyLoader can detect virtual environments and evade analysis by performing checks to determine if it’s running on a sandbox or simulated environment. It can download and execute a second-stage payload, allowing it to carry out additional malicious actions. It can steal data from web browsers, cryptocurrency wallets, VPNs, and messaging apps, compressing it into a ZIP archive.
Modus Operandi of the malware:
BunnyLoader installs, creates persistence values in the Windows Registry, hides its window, sets a mutex, and registers the victim into the control panel. It can detect virtual environments and evade analysis by performing checks on a sandbox or simulated environment, and throwing a fake architecture incompatibility error if positive.
BunnyLoader Tactics on Customer-to-customer (C2C):
BunnyLoader installs, creates persistence values in the Windows Registry, hides its window, sets a mutex, and registers the victim into the control panel. It can detect virtual environments and evade analysis by performing checks on a sandbox or simulated environment, and throwing a fake architecture incompatibility error if positive.
Technical Analysis on the malware:
While analyzing, we came access some of the IOC’s such as
URLs:
http[:]//37.139.129.145/Bunny/
Dr.Web: known infection source
Forcepoint ThreatSeeker: malicious web sites
Sophos: spyware and malware
Webroot: Malware Sites
Status Code: 404
Content-Length:300
Date:Tue, 26 Sep 2023 06:50:14 GMT
Content-Type:text/html; charset=iso-8859-1
Connection:Keep-Alive
Keep-Alive:timeout=5, max=100
Server:Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4
MD-5:59ac3eacd67228850d5478fd3f18df78
● MD5:59ac3eacd67228850d5478fd3f18df78
● SHA-1:cdc11d2244321b850fad88a92e704a8ce2255ca7
● SHA-256:9b8efc369c7ff541f885c605c462c7d5a16acfbdfef3b28adc4e5418e890142f ● Vhash:06503e0f7d5013z13z43z1hz11z1bz
● Authentihash:07b12b6c9694270575fca14015c36d11639bc31486378a72408470674923ee46 ● Imphash:55813cd163f843b9053aec38c1568bbf
● Rich PE header hash:bcfb301588e6b5c086ad848774cd3d76
● SSDEEP12288:tZ2eNScaljS/F419WCntAWjVX5ykOKytwz07JK88AMFjYSFPAZ:L2eNSc4wERntj VJxOK1z078sEVlO
● TLSH:T1D8D423B941A61C7FF47F9BBAF20BD6294112F0790C48F90C5F8DBA5D3DA61A09A C4606
● File type:Win32 EXE executablewindowswin32pepeexe
● Magic:PE32 executable (console) Intel 80386, for MS Windows, UPX compressed Compiler Products
● id: 259, version: 30795 count=17
● id: 261, version: 30795 count=202
● id: 260, version: 30795 count=23
● id: 260, version: 30034 count=18
● id: 259, version: 30034 count=25
● id: 261, version: 30034 count=95
● id: 257, version: 30795 count=15
● [—] Unmarked objects count=242
● id: 261, version: 32217 count=38
● id: 265, version: 30148 count=7
● id: 255, version: 30148 count=1
● id: 258, version: 30148 count=1
Header
● Target Machine:Intel 386 or later processors and compatible processors
● Compilation Timestamp:2023-09-23 15:40:18 UTC
● Entry Point:1528960
● Contained Sections:3
Contacted URLs(2)
| Scanned | Detections | Status URL |
| 2023-10-03 | 0 / 90 | 200 http://api.ipify.org/ |
| 2023-08-03 | 0 / 90 | 200 http://ip-api.com/csv |
Contacted Domains(6)
| Domain | Detections | Created Registrar |
| api.ipify.org | 0 / 89 | 2014-01-05 GoDaddy.com, LLC |
| api4.ipify.org | 0 / 89 | 2014-01-05 GoDaddy.com, LLC |
| fp2e7a.wpc.2be4.phic dn.net | 0 / 89 | 2014-11-14 GoDaddy.com, LLC |
| fp2e7a.wpc.phicdn.net | 0 / 89 | 2014-11-14 GoDaddy.com, LLC |
| ip-api.com | 0 / 89 | 2012-04-24 Internet Domain Service BS Corp |
ipify.org 1
2014-01-05 GoDaddy.com, LLC
/ 89
Contacted IP addresses(12)
| IP | Detections | Autonomous System Country |
| 104.237.62.212 | 0 / 89 | 18450 US |
| 173.231.16.77 | 0 / 89 | 18450 US |
| 192.229.211.108 | 0 / 89 | 15133 US |
| 192.229.221.95 | 0 / 89 | 15133 US |
| 20.99.133.109 | 0 / 89 | 8075 US |
20.99.184.37 2
8075 US
/ 89
| 20.99.185.48 | 0 / 89 | 8075 US |
| 20.99.186.246 | 0 / 89 | 8075 US |
| 208.95.112.1 | 1 / 89 | 53334 US |
| 23.216.147.76 | 1 / 89 | 20940 US |
| 64.185.227.156 | 6 / 89 | 18450 US |
| 8.8.8.8 | 2 / 89 | 15169 US |
Execution Parents(1)
| Scanned | Detections | Type Name |
| 2023-09-27 | 1 / 64 | ZIP 12034028745.zip |
SHA-1:059d27dbb4777ed1f17b2aa42c0e7c19ad29b304
● MD5:bbf53c2f20ac95a3bc18ea7575f2344b
● SHA-1:059d27dbb4777ed1f17b2aa42c0e7c19ad29b304
● SHA-256:90e6ebc879283382d8b62679351ee7e1aaf7e79c23dd1e462e840838feaa5e69 ● Vhash:016056655d15556053z22z9a3z91z503bz81zbbz
● Authentihash:823668e0d7e3f6ed82faefae342f5b91e3f5ee25116a3d358c3b2ec875ccf70c ● Imphash:193e8e3a585e056b8cf408dbb31c7f32
● Rich PE header hash:6b424b2a8b2f0e29339cef3ba0af9896
● SSDEEP24576:H5khuFAeSwW1LS8s2tsiODbdGcE/61SHyV8UuThAbJfm9j+XcK8VodAeLJhUM 8YJ:cuZW1LS8s2tsdDbC9SKdincKuodAeMMf
● TLSH:T11465AF61FB82E0B2E8C610F141BF6BFB9C286A15473854D7A3D01E695D301D37A 3AF5A
● File type:Win32 EXE executablewindowswin32pepeexe
● Magic:PE32 executable (console) Intel 80386, for MS Windows
Compiler Products
● id: 259, version: 30795 count=17
● id: 261, version: 30795 count=202
● id: 260, version: 30795 count=24
● id: 260, version: 30034 count=18
● id: 259, version: 30034 count=25
● id: 261, version: 30034 count=101
● id: 257, version: 30795 count=19
● [—] Unmarked objects count=256
● id: 261, version: 32217 count=38
● id: 265, version: 30148 count=7
● id: 255, version: 30148 count=1
● id: 258, version: 30148 count=1
Header:Basic features stored in the portable executable file header.
● Target Machine:Intel 386 or later processors and compatible processors
● Compilation Timestamp:2023-09-18 11:21:06 UTC
● Entry Point:1038921
● Contained Sections:5
Contacted Domains(4)
| Domain | Detections | Created Registrar |
| api.ipify.org | 0 / 89 | 2014-01-05 GoDaddy.com, LLC |
| api4.ipify.org | 0 / 89 | 2014-01-05 GoDaddy.com, LLC |
| ip-api.com | 0 / 89 | 2012-04-24 Internet Domain Service BS Corp |
| ipify.org | 0 / 89 | 2014-01-05 GoDaddy.com, LLC |
Contacted IP addresses(14)
| IP | Detections | Autonomous System | Country |
| 104.237.62.212 | 1 / 89 | 18450 | US |
| 13.107.4.50 | 7 / 89 | 8068 | US |
| 173.231.16.77 | 0 / 89 | 18450 | US |
| 192.229.211.108 | 0 / 89 | 15133 | US |
| 20.99.133.109 | 0 / 89 | 8075 | US |
| 20.99.184.37 | 2 / 89 | 8075 | US |
| 20.99.185.48 | 0 / 89 | 8075 | US |
| 20.99.186.246 | 0 / 89 | 8075 | US |
| 208.95.112.1 | 1 / 89 | 53334 | US |
| 23.216.147.64 | 1 / 89 | 20940 | US |
| 23.216.147.76 | 1 / 89 | 20940 | US |
| 37.139.129.145 | 1 / 89 | 211252 | NL |
| 64.185.227.156 | 6 / 89 | 18450 | US |
| 8.8.8.8 | 2 / 89 | 15169 | US |
Execution Parents(2)
| Scanned | Detections | Type Name |
| 2023-09-27 | 1 / 64 | ZIP 12034028745.zip |
| 2023-09-26 | 1 / 64 | ZIP 11966049248.zip |
● MD5:dbf727e1effc3631ae634d95a0d88bf3
● SHA-1:c02d2a18eca78b91b4c4e9e7a45c8d17c8c5bbca
● SHA-256:454bd68088f17718527b300134cae3eed1c7db3ba7ed9e08d291ef7729229a79 ● Vhash:06503e0f7d1013z13z43z11z101bz11z1bz
● Authentihash:5018a9d634dd8a2528a5946ead796ac7be436268a7e225bbb2587cb0230f1a25 ● Imphash:f1881b6400291d13b053da50e4d09dd7
● Rich PE header hash:6b424b2a8b2f0e29339cef3ba0af9896
● SSDEEP12288:8yqE9N0R/YPT7arwRhacn1J0zxzWnMZfgspsa:nlERAP6sRh/1UxiApZ ● TLSH:T1D9D4232BFBE4267AD4F9F6345126EA1076F45D203AA0C46F519327D7CE7B814C2 68B13
● File type:Win32 EXE executablewindowswin32pepeexe
● Magic:PE32 executable (console) Intel 80386, for MS Windows, UPX compressed
Compiler Products
● id: 259, version: 30795 count=17
● id: 261, version: 30795 count=202
● id: 260, version: 30795 count=24
● id: 260, version: 30034 count=18
● id: 259, version: 30034 count=25
● id: 261, version: 30034 count=101
● id: 257, version: 30795 count=19
● [—] Unmarked objects count=256
● id: 261, version: 32217 count=38
● id: 265, version: 30148 count=7
● id: 255, version: 30148 count=1
● id: 258, version: 30148 count=1
Among BunnyLoader’s tools are a keylogger that logs keystrokes and a clipper that watches clipboards and switches the attacker’s bitcoin wallet address for the victim’s. After being collected, the stolen information is sent to a command-and-control (C2) server packaged inside a ZIP archive. This article explores BunnyLoader’s internal workings and reveals the technological nuances that pose a serious risk to cybersecurity. Keep yourself educated to guard against this ever-changing threat.
A description of the virus or ransomware
● Composed in C/C++
● Fileless loader: downloads and runs further malware stages in RAM
● includes both stealer and clipper features.
● remote execution of commands
● includes anti-analysis methods
● offers an online panel with stealer logs, total clients, ongoing jobs, and a plethora of other features. Cost: $250 for a lifetime.
Rapid evolution of the virus has resulted in several feature upgrades.
The virus has been developing quickly, and several feature upgrades and bug patches have been made available. BunnyLoader’s upgrades fix bugs, make adjustments to the C2 panel, and even introduce new price levels in the chart below.
| Value | Description |
| country | Gathers the country where the infected system is connecting from via “http[:]//ip-api.com/csv” where the user agent is “BunnyRequester” |
| IP | Gathers the victim IP from “http[:]//api.ipify.org” where the user agent is “BunnyRequester” |
| host | Gathers the hostname via GetComputerNameA |
| ver | The version of BunnyLoader (e.g., 2.0) |
| system | Fetches the operating system via “systeminfo | findstr /B /C:”OS Name” |
| privs | Fetches the privileges of the current user via OpenProcessToken. Sends “Admin” if the user is an administrator or sends the string “user”. |
| av | Gathers the anti-virus on the infected machine via wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value |
With the use of BunnyLoader’s C2 panel, attackers may access a malicious toolset that includes remote system control, malware downloads, keylogging, credential theft, and clipboard manipulation for cryptocurrency theft.
Risks associated with BunnyLoader on Customer-to-Customer market:
There are specific risks associated with BunnyLoader being traded in the C2C market.
These risks include: Increased availability: The C2C market carries certain hazards when it comes to trading BunnyLoader.
These dangers consist of:
Enhanced accessibility:BunnyLoader’s C2C market trading makes it more accessible to a larger spectrum of crooks, facilitating their acquisition and deployment of the virus for nefarious purposes.
Lack of quality control:C2C sites, which sell malware like BunnyLoader, have no control over the caliber of the goods they sell. This suggests that the virus can be of low quality or include vulnerabilities that have the potential to have unexpected effects.
Payment issues:There may or may not be a guarantee of payment for transactions done, contingent upon the policies of the platform.
The sale of BunnyLoader on C2C platforms may cause problems with payments for both buyers and sellers.
Mitigation and Recommendations:
BunnyLoader is a fileless malware that can infiltrate systems by exploiting vulnerabilities in outdated software. To mitigate it :
● Individuals and organizations should keep their software up to date with the latest security patches and updates.
● Anti-virus software can provide some protection against BunnyLoader, although it can evade detection.
● To avoid BunnyLoader, avoid suspicious emails and attachments, download software from untrusted sources, and educate employees about the risks of malware like BunnyLoader. ● Organizations should also monitor network activity for any signs of BunnyLoader or other malware and take prompt action if any suspicious activity is detected.
● Overall, implementing these measures can help protect against BunnyLoader and other malware threats.
CyberPeace Advice:
1. Use a strong password
2. Be careful about what information you share.
3. Hover over links in emails before clicking on them
4. Be wary of emails that come from unknown senders or that have suspicious subject lines. 5. Be careful about the emails you open and the links you click on.
6. Enable two-factor authentication for your account.
Reference:
[1]https://www.bleepingcomputer.com/news/security/new-bunnyloader-threat-emerges-as-a-feature-rich-m alware-as-a-service/
[2] https://rabbitloader.com
[3] https://www.pcrisk.com/removal-guides/27955-bunnyloader-malware
[4] https://thehackernews.com/2023/10/bunnyloader-new-malware-as-service.html?m=1 [5] https://wordpress.org/plugins/rabbit-loader/
[6] https://isp.page/news/new-malware-as-a-service-maas-threat-bunnyloader-discovered/ [7] https://www.zscaler.com/blogs/security-research/bunnyloader-newest-malware-service [8] https://www.seenlyst.com/blog/rabbitloader-review/
[9] https://cybermaterial.com/evolving-threat-of-bunnyloader/
[10] https://heimdalsecurity.com/blog/new-malware-as-a-service-bunny-loader/
[11] https://rabbitloader.com/articles/why-rabbit-loader/
[12] https://securityaffairs.com/151869/malware/bunnyloader-maas.html?amp=1 [13] https://crozdesk.com/software/rabbit-loader-740642fe-d922-4e7c-9afc-c412c93813ea [14] https://cybersecuritynews.com/bunnyloader-malware-as-a-service/
[15]https://www.techradar.com/pro/security/theres-a-dangerous-new-malware-as-a-service-on-the-rise-her es-what-you-need-to-know
[16] https://www.scmagazine.com/brief/novel-bunnyloader-maas-threat-examined [17] https://www.zscaler.com/blogs/security-research/bunnyloader-newest-malware-service [18]https://www.rewterz.com/rewterz-news/rewterz-threat-alert-emergence-of-bunnyloader-new-malware as-a-service-unveiled-in-the-cybercrime-underground-active-iocs/
[19]https://www.linkedin.com/posts/shawnrobertharvey_bunnyloader-malware-targets-browsers-and-activi ty-7114834125697515522-hZHO
[20]https://www.bleepingcomputer.com/news/security/new-bunnyloader-threat-emerges-as-a-feature-rich malware-as-a-service/
[21]https://www.linkedin.com/posts/proaxissolutions_cybersecurity-malware-bunnyloader-activity-7115289 464029003776-uCaU
[22] https://www.pcrisk.com/removal-guides/27955-bunnyloader-malware
[23] https://thehackernews.com/2023/10/bunnyloader-new-malware-as-service.html?m=1 [24] https://www.infosecurity-magazine.com/news/bunnyloader-targets-browsers-crypto/ [25] https://heimdalsecurity.com/blog/new-malware-as-a-service-bunny-loader/
[26]https://www.blackhatethicalhacking.com/news/meet-bunnyloader-the-rapidly-evolving-malware-as-a-s ervice/
[27] https://cybersecuritynews.com/bunnyloader-malware-as-a-service/
