top of page

BunnyLoader, the newest Malware-as-a-Service

NIRAJ SHIVTARKAR,
SATYAM SINGH

https://www.zscaler.com/blogs/security-research/bunnyloader-newest-malware-service#introduction

29 Sept 2023

In early September, Zscaler ThreatLabz discovered a new Malware-as-a-Service (MaaS) threat called “BunnyLoader” being sold on various forums. BunnyLoader provides various functionalities such as downloading and executing a second-stage payload, stealing browser credentials and system information, and much more. BunnyLoader employs a keylogger to log keystrokes as and a clipper to monitor the victim’s clipboard and replace cryptocurrency wallet addresses with actor-controlled cryptocurrency wallet addresses. Once the information is obtained, BunnyLoader encapsulates the data into a ZIP archive and proceeds to transmit the pilfered data to a command-and-control (C2) server.

In early September, ThreatLabz came across a new malware loader named BunnyLoader. The malware was being sold on various forums by a user named “PLAYER_BUNNY”/”PLAYER_BL”, who seems to be one of the developers of the loader as shown in the figure below.



Based on the advertisement, BunnyLoader has the following features:

  • Written in C/C++

  • Fileless loader - download & execute further malware stages in memory

  • Consists of stealer and clipper capabilities

  • Remote command execution

  • Incorporates anti-analysis techniques

  • Provides a web panel showcasing stealer logs, total clients, active tasks and much more

  • Price - $250 (Lifetime)



If a sandbox is identified, BunnyLoader throws the following error message: 

“The version of this file is not compatible with the current version of Windows you are running. Check your computer's system information to see whether you need an x86 (32-bit) or x64 (64-bit) version of the program, and then contact the software publisher.”

Otherwise, BunnyLoader performs an HTTP registration request to a C2 server.


BunnyLoader consists of the following tasks:

  • Trojan Downloader

  • Intruder

  • Clipper

  • Remote Command Execution

  • Run Keylogger Task

  • Run Stealer Task

  • Clipper Task

  • Download and Execute Task

  • Remote Command Execution Task


The following are the web browsers targeted by BunnyLoader:

  • 7Star\7Star\User Data

  • Yandex\YandexBrowser\User Data

  • CentBrowser\User Data

  • Comodo\User Data

  • Chedot\User Data

  • 360Browser\Browser\User Data

  • Vivaldi\User Data

  • Maxthon3\User Data

  • Kometa\User Data

  • K-Melon\User Data

  • Elements Browser\User Data

  • Google\Chrome\User Data\\Sputnik\Sputnik\User Data

  • Epic Privacy Browser\User Data

  • Nichrome\User Data

  • uCozMedia\Uran\User Data

  • CocCoc\Browser\User Data

  • Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer

  • Uran\User Data

  • CatalinaGroup\Citrio\User Data

  • Chromodo\User Data

  • Coowon\Coowon\User Data

  • Mail.Ru\Atom\User Data

  • liebao\User Data

  • Microsoft\Edge\User Data

  • QIP Surf\User Data

  • BraveSoftware\Brave-Browser\User Data

  • Orbitum\User Data

  • Chromium\User Data

  • Comodo\Dragon\User Data

  • Google(x86)\Chrome\User Data

  • Amigo\User\User Data

  • MapleStudio\ChromePlus\User Data

  • Torch\User Data

  • Iridium\User Data

BunnyLoader steals following information from these web browsers:

  • AutoFill data

  • Credit cards

  • Downloads

  • History

  • Passwords

The malware targets the following cryptocurrency wallets:

  • Armory

  • Exodus

  • AutomaticWallet

  • Bytecoin

  • Ethereum

  • Coinomi

  • Jaxx

  • Electrum

  • Guarda

BunnyLoader steals credentials from the following VPN clients:

  • ProtonVPN 

  • OpenVPN

Credentials are also stolen from following messaging applications:

  • Skype

  • Tox

  • Signal

  • Element

  • ICQ

Indicators of Compromise (IOCs)


C2 Server - 37[.]139[.]129[.]145/Bunny/


BunnyLoader samples:

  • dbf727e1effc3631ae634d95a0d88bf3

  • bbf53c2f20ac95a3bc18ea7575f2344b

  • 59ac3eacd67228850d5478fd3f18df78

bottom of page