Known Threat Actor Develops Malware Downloader

Written by

A known malicious actor who goes by the username Yattaze has been selling a malware downloader, Kardon Loader, as a paid open beta product, which Netscout Arbor believes is a rebranding of the cyber-criminal’s ZeroCool botnet.

Advertised on underground forums since late April, the malware downloader has full bot capabilities and is offered at a starting price of $50 BTC for the standard version and $70 BTC for the botshop. According to a recent post from Netscout Arbor, “the actor offers the sale of the malware as a standalone build with charges for each additional rebuild, or the ability to set up a botshop in which case any customer can establish their own operation and further sell access to a new customer base.”

Customers on underground forums are invited to join the project and start their own network using the Kardon Loader, which claims to be extremely stable and capable of holding large amounts of clients.

The relatively small size of the malware (10kb), which is still in development, reportedly sets it apart from other malware downloaders currently available. It is also is advertised as being specifically programmed for crypter compatibility.

Malware downloaders and botshops are often used by malware authors and distributors to both create botnets and distribute additional payloads. Those payloads – run by third-party operators of malware distribution networks – can include credentials theft, ransomware and banking Trojans, however, Yattaze used a disclaimer in the Kardon ad stating that the software should not be used for malicious purposes, but that it is “for personal use and educational purposes only, you take full responsibility for any type of misuse of the software.”

This new botnet-capable malware loader doesn’t represent new advances in the way the cyber-criminal community functions, said Sean Newman, director of product development for Corero Network Security, who pointed out that botnets are regularly used to launch distributed denial-of-service attacks.

“We are way past the time when hackers operated solely in isolation and had to craft every component of their attacks themselves. Pretty much every element of cybercrime is now part of a broader ecosystem, with hackers specializing in certain areas and then selling those skills or capabilities on the dark web to others who can then use that for a broader cybercrime campaign.”

What’s hot on Infosecurity Magazine?