Mayakshi
Learning Centre for Cyber Security & Privacy Professionals
NIRAJ SHIVTARKAR,
SATYAM SINGH
29 Sept 2023
In early September, Zscaler ThreatLabz discovered a new Malware-as-a-Service (MaaS) threat called “BunnyLoader” being sold on various forums. BunnyLoader provides various functionalities such as downloading and executing a second-stage payload, stealing browser credentials and system information, and much more. BunnyLoader employs a keylogger to log keystrokes as and a clipper to monitor the victim’s clipboard and replace cryptocurrency wallet addresses with actor-controlled cryptocurrency wallet addresses. Once the information is obtained, BunnyLoader encapsulates the data into a ZIP archive and proceeds to transmit the pilfered data to a command-and-control (C2) server.
In early September, ThreatLabz came across a new malware loader named BunnyLoader. The malware was being sold on various forums by a user named “PLAYER_BUNNY”/”PLAYER_BL”, who seems to be one of the developers of the loader as shown in the figure below.
Based on the advertisement, BunnyLoader has the following features:
Written in C/C++
Fileless loader - download & execute further malware stages in memory
Consists of stealer and clipper capabilities
Remote command execution
Incorporates anti-analysis techniques
Provides a web panel showcasing stealer logs, total clients, active tasks and much more
Price - $250 (Lifetime)
If a sandbox is identified, BunnyLoader throws the following error message:
“The version of this file is not compatible with the current version of Windows you are running. Check your computer's system information to see whether you need an x86 (32-bit) or x64 (64-bit) version of the program, and then contact the software publisher.”
Otherwise, BunnyLoader performs an HTTP registration request to a C2 server.
BunnyLoader consists of the following tasks:
Trojan Downloader
Intruder
Clipper
Remote Command Execution
Run Keylogger Task
Run Stealer Task
Clipper Task
Download and Execute Task
Remote Command Execution Task
The following are the web browsers targeted by BunnyLoader:
7Star\7Star\User Data
Yandex\YandexBrowser\User Data
CentBrowser\User Data
Comodo\User Data
Chedot\User Data
360Browser\Browser\User Data
Vivaldi\User Data
Maxthon3\User Data
Kometa\User Data
K-Melon\User Data
Elements Browser\User Data
Google\Chrome\User Data\\Sputnik\Sputnik\User Data
Epic Privacy Browser\User Data
Nichrome\User Data
uCozMedia\Uran\User Data
CocCoc\Browser\User Data
Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
Uran\User Data
CatalinaGroup\Citrio\User Data
Chromodo\User Data
Coowon\Coowon\User Data
Mail.Ru\Atom\User Data
liebao\User Data
Microsoft\Edge\User Data
QIP Surf\User Data
BraveSoftware\Brave-Browser\User Data
Orbitum\User Data
Chromium\User Data
Comodo\Dragon\User Data
Google(x86)\Chrome\User Data
Amigo\User\User Data
MapleStudio\ChromePlus\User Data
Torch\User Data
Iridium\User Data
BunnyLoader steals following information from these web browsers:
AutoFill data
Credit cards
Downloads
History
Passwords
The malware targets the following cryptocurrency wallets:
Armory
Exodus
AutomaticWallet
Bytecoin
Ethereum
Coinomi
Jaxx
Electrum
Guarda
BunnyLoader steals credentials from the following VPN clients:
ProtonVPN
OpenVPN
Credentials are also stolen from following messaging applications:
Skype
Tox
Signal
Element
ICQ
Indicators of Compromise (IOCs)
C2 Server - 37[.]139[.]129[.]145/Bunny/
BunnyLoader samples:
dbf727e1effc3631ae634d95a0d88bf3
bbf53c2f20ac95a3bc18ea7575f2344b
59ac3eacd67228850d5478fd3f18df78