No recent events yet!
Risk: | high |
Damage: |
high |
Platform(s): |
Microsoft® Windows OS |
Advisory ID: |
ngCERT-2024-0007 |
Version: |
N/A |
CVE: |
N/A |
Published: |
March 26, 2024 |
A new variant of Infostealer Malware with upgraded modular capabilities, known as BunnyLoader 3.0 (Player_Bunny), has been discovered in the wild, posing a serious threat due to its enhanced capabilities for stealing information, credentials, digital currency, and delivering additional malware payloads. The third version of the information-stealing malware-as-a-service threat has more data theft modules, stronger keylogging features, smaller payloads, and improved stealth. Aside from its unique denial-of-service capabilities, BunnyLoader 3.0 has separate binaries for modules involved in DoS, keylogging, clipping, and data exfiltration. This emphasizes the need of putting safeguards in place to prevent this threat.
BunnyLoader is a Malware-as-a-Service (MaaS) that cybercriminals may buy (for $250) from numerous online forums. It contains a variety of functions, including the ability to download and execute a second-stage payload as well as gather browser credentials and system information. Once BunnyLoader is installed on a user's device, it creates a new item in the Windows Registry to enable persistence. The malware then runs a series of tests to see if it is running in a sandbox or a virtual machine. If it is not, BunnyLoader will commence its nefarious behaviour, posing concealed threats. BunnyLoader starts by submitting a task request to its remote command and control (C2) server. The C2 server will then return a task for BunnyLoader to perform. This task could be to download and execute the second-stage malware payload, steal data from the victim's device, or redirect cryptocurrency payments to the attacker's wallet. BunnyLoader then collects the requested data and compresses it into a ZIP archive. The malware then transmits the ZIP archive to the C2 server. The attackers can then access the stolen data from the C2 server.
Upon successful installation and execution on the victim’s system:
The following mitigation steps are recommended: