A Sophisticated Variant of Infostealer Malware-as-a-Service Discovered

Microsoft® Windows OS
Advisory ID:
March 26, 2024


A new variant of Infostealer Malware with upgraded modular capabilities, known as BunnyLoader 3.0 (Player_Bunny), has been discovered in the wild, posing a serious threat due to its enhanced capabilities for stealing information, credentials, digital currency, and delivering additional malware payloads. The third version of the information-stealing malware-as-a-service threat has more data theft modules, stronger keylogging features, smaller payloads, and improved stealth. Aside from its unique denial-of-service capabilities, BunnyLoader 3.0 has separate binaries for modules involved in DoS, keylogging, clipping, and data exfiltration. This emphasizes the need of putting safeguards in place to prevent this threat.

Description & Consequence

BunnyLoader is a Malware-as-a-Service (MaaS) that cybercriminals may buy (for $250) from numerous online forums. It contains a variety of functions, including the ability to download and execute a second-stage payload as well as gather browser credentials and system information. Once BunnyLoader is installed on a user's device, it creates a new item in the Windows Registry to enable persistence. The malware then runs a series of tests to see if it is running in a sandbox or a virtual machine. If it is not, BunnyLoader will commence its nefarious behaviour, posing concealed threats. BunnyLoader starts by submitting a task request to its remote command and control (C2) server. The C2 server will then return a task for BunnyLoader to perform. This task could be to download and execute the second-stage malware payload, steal data from the victim's device, or redirect cryptocurrency payments to the attacker's wallet. BunnyLoader then collects the requested data and compresses it into a ZIP archive. The malware then transmits the ZIP archive to the C2 server. The attackers can then access the stolen data from the C2 server.

Upon successful installation and execution on the victim’s system:

  1. BunnyLoader is capable of recording keystrokes made by the victim, thereby capturing sensitive information such as usernames, passwords, and other input.
  2. BunnyLoader can extract login credentials and system-related data from the compromised system, potentially compromising user accounts and system security.
  3. It can monitor and manipulate the victim's clipboard, particularly for cryptocurrency-related activities. This enables it to replace cryptocurrency wallet addresses with addresses controlled by the attackers, potentially leading to financial losses for victims.
  4. It can access, and steal data stored on web browsers (passwords, credit card details, browsing history, AutoFill data), cryptocurrency wallets, VPNs, messaging apps, and more.


The following mitigation steps are recommended:

  1. Avoid opening suspicious emails and clicking on untrusted links.
  2. Ensure all systems are patched with the latest security updates for operating systems, browsers, and applications.
  3. Implement robust endpoint security solutions that can detect and block malware activity.
  4. Maintain regular backups of critical data to ensure quick recovery in case of malware attack.
  5. Exercise prudence when dealing with emails, advertisements, and downloads from unfamiliar origins to avoid unintentional computer infections.
  6. Use a firewall and keep it up to date. A firewall can help to block unauthorized traffic to your devices.



Related Articles