Zscaler ThreatLabz has identified a newly emerging Malware-as-a-Service (MaaS) threat known as "BunnyLoader," available on underground forums. The tool, priced at $250, is actively under development, rapidly evolving with various feature updates and bug fixes.
BunnyLoader, primarily coded in C/C++, is a fileless loader that conducts malicious activities in memory, making detection more challenging for cybersecurity experts. It features a range of capabilities, including keylogging, clipboard monitoring to hijack cryptocurrency wallet addresses and remote command execution (RCE).
Since its initial release on September 4, 2023, BunnyLoader has witnessed several iterations, each bringing enhancements and fixes. These updates address bugs, introduce new functionalities, and adapt to thwart analysis attempts. Furthermore, the malware now offers options for payload and stub purchases at $250 and $350, respectively.
According to an advisory published by Zscaler last Friday, the core of BunnyLoader's operations revolves around its command-and-control (C2) panel, which oversees various tasks, including downloading and executing additional malware, keylogging, credential theft, clipboard manipulation for cryptocurrency theft and remote command execution (RCE).
The C2 panel also offers statistics, client tracking and task management, providing the threat actor with extensive control over infected machines.
Zscaler also explained that BunnyLoader's technical analysis revealed its persistence mechanisms, anti-sandbox tactics and interactions with C2 servers. The malware can detect virtual environments and employs various techniques to evade analysis.
Notably, the malware's keylogger records keystrokes and the stealer component exfiltrates a wide range of data, including information from web browsers, cryptocurrency wallets and VPN clients.
Read more on keyloggers: Keylogger on Employee Home PC Led to LastPass 2022 Breach
The clipper module is another concerning feature that scans a victim's clipboard for cryptocurrency addresses and replaces them with controlled wallet addresses. This enables attackers to divert cryptocurrency transactions.
"BunnyLoader is a new MaaS threat that is continuously evolving their tactics and adding new features to carry out successful campaigns against their targets," wrote security researchers Niraj Shivtarkar and Satyam Singh. "The Zscaler ThreatLabz team will continue to monitor these attacks to help keep our customers safe."