Some security researchers have discovered a new malware-as-a-service (MaaS) called BunnyLoader which is advertised on multiple hacker forums.
Apparently, it is a loader capable of intervening on the victim’s systems, leading to theft or deletion of data present locally (and beyond). A fearful feature of this malware is its rapid development. This, in fact, is followed in an almost obsessive manner by its creators, who improve its features and correct its bugs with disarming punctuality.
Already from the moment of the first appearance of MaaS on the forums of Dark Webwhich took place on September 4th, this has evolved, now becoming a very different malevolent agent compared to its first version.
BunnyLoader’s current capabilities allow affiliates, in addition to the aforementioned data theft, to execute remote commands and to subtract cryptocurrency to the victims. According to the experts of Zscalerdue to the aforementioned characteristics and the relatively low price to whom it is sold, this malware enjoys great popularity in the context of cybercrime.
BunnyLoader malware is constantly evolving
The malware performs several checks to determine whether it is running in sandbox mode or in a simulated environment and generates a false architecture incompatibility error if the result is positive.
In addition to the mentioned functions, the malware also features modules to steal data stored on browser Webincluding information such as:
- credit cards
- browsing history
- cryptocurrency wallets
- messaging app
essentially acting as a classic infostealer.
All stolen data is compressed into a ZIP archive before being sent to the threat actor’s command and control (C2) server.
As already stated, BunnyLoader is constantly evolving and is therefore difficult to clearly define.
Since its release, this has already gotten about ten updates. The latest recorded, dated September 27, includes the update of critical vulnerabilities concerning SQL injection e XSSimproved data theft capabilities, and a loader fileless optimized.