An unrecorded .NET Loader was identified during routine threat hunting that downloads, decrypts, and executes a wide range of malicious payloads.
Multiple threat actors extensively distributed this new loader in early June 2023 through the following mediums:-
Malicious phishing emails
Deceptive YouTube videos
Fake web pages mimicking legitimate websites
Ditribution mediums (Source – Sekoia)
The cybersecurity researchers at Sekoia identified this new .NET loader and named this newly discovered loader malware “CustomerLoader.”
Security analysts appointed this name due to its Command and Control (C2) communications containing the term “customer” and its loading functionalities.
.NET Loader to Deliver Payloads
CustomerLoader exclusively retrieves dotRunpeX samples, which in turn deliver a diverse range of malware families like:-
Infostealers
Remote Access Trojans (RAT)
Commodity ransomware
In March 2023, the security experts at Checkpoint publicly documented dotRunpeX as a .NET injector that is equipped with multiple anti-analysis techniques.
The association between CustomerLoader and an undisclosed Loader-as-a-Service is highly probable.
The dotRunpeX developer may have added CustomerLoader as a stage before the injector is executed.
Infection chain (Source – Sekoia)
CustomerLoader samples employ multiple code obfuscation techniques, disguising themselves as legitimate apps. This slows down and extends the analysis, likely due to easy-to-use .NET code obfuscation tools.
However, there are numerous such tools that are accessible via NotPrab/.NET-Obfuscator GitHub repository, even for non-experts as well.
CustomerLoader uses AES in ECB mode for string obfuscation, with the decryption key stored in plaintext within the PE.
CustomerLoader evades detection by patching the AmsiScanBuffer function in amsi.dll, returning AMSI_RESULT_CLEAN to bypass antivirus. This marks the buffer as clean and permits the safe execution of malicious payloads.
Function that patches AmsiScanBuffer (Source – Sekoia)
The loader executes the customer payload following this process:-
From an embedded URL, an HTML page is downloaded by the CustomerLoader.
An encoded base64 string is extracted using regex: “/!!!(.*?)!!!/”
Then the base64 string is decoded and decrypted by it.
Then the payload is executed in memory using the reflective code technique.
The method of code reflection is obfuscated by shuffling, enabling the loading of .NET functions using the following function:-
NewLateBinding.LateGet
The encrypted payloads are retrieved by the CustomerLoader samples from their C2 server, with each payload linked to a unique customer ID that is hosted at:-
hxxp://$C2/customer/$ID
The CustomerLoader samples were directly connected to C2 server IP 5.42.94[.]169 via HTTP between 31 May and 20 June 2023. While the C2 server switched to the domain kyliansuperm92139124[.]sbs and HTTPS, protected by Cloudflare on 20 June 2023.
The domain acts as a proxy, while the backend server remains 5.42.94[.]169. This C2 server changes likely aims to evade network detections and hinder security researchers’ analysis, according to Sekoia.io analysts.
Malware Families Distributed
Here below we have mentioned all the malware families that are distributed by CustomerLoader:-
Redline
Formbook
Vidar
Stealc
Raccoon
Lumma
StormKitty
AgentTesla
DarkCloud
Kraken Keylogger
AsyncRAT
Quasar
Remcos
XWorm
njRAT
WarzoneRAT
BitRAT
NanoCore
SectopRAT
LgoogLoader
Amadey
Variant of WannaCry
TZW ransomware
CustomerLoader distributes the following malware families, each associated with a distinct number of unique botnets:-
Redline: over 80 botnets
Quasar: 45 botnets
Vidar: 9 botnets
Remcos: 6 botnets
Stealc: 4 botnets
Formbook: 4 botnets
CustomerLoader, when combined with the dotRunpeX injector, enhances compromise rates by reducing the detection of the final payload, despite lacking advanced techniques.
IoCs
hxxp://smartmaster.com[.]my/48E003A01/48E003A01.7z: Payload delivery URL
d40af29bbc4ff1ea1827871711e5bfa3470d59723dd8ea29d2b19f5239e509e9: Archive
3fb66e93d12abd992e94244ac7464474d0ff9156811a76a29a76dec0aa910f82: CustomerLoader payload
hxxp://5.42.94[.]169/customer/735: CustomerLoader’s C2 URL
hxxps://telegra[.]ph/Full-Version-06-03-2: Malicious redirection webpage
hxxps://tinyurl[.]com/bdz2uchr: Shortened URL redirecting to the payload delivery URL
hxxps://www.mediafire[.]com/file/nnamjnckj7h80xz/v2.4_2023.rar/file: Payload delivery URLs
hxxps://www.mediafire[.]com/file/lgoql94feiic0x7/v2.5_2023.rar/file: Payload delivery URLs
65e3b326ace2ec3121f17da6f94291fdaf13fa3900dc8d997fbbf05365dd518f: Archive
7ff5a77d6f6b5f1801277d941047757fa6fec7070d7d4a8813173476e9965ffc: Archive
c05c7ec4570bfc44e87f6e6efc83643b47a378bb088c53da4c5ecf7b93194dc6: CustomerLoader payload
hxxp://5.42.94[.]169/customer/770: CustomerLoader’s C2 URL
45.9.74[.]99: Raccoon stealer’s C2
5.42.65[.]69: Raccoon stealer’s C2
hxxps://slackmessenger[.]site/: Malicious webpage impersonating Slack website
hxxps://slackmessenger[.]pw/slack.zip: Payload delivery
695f138dd517ded4dd6fcd57761902a5bcc9dd1da53482e94d70ceb720092ae6: Archive
b8f5519f7d66e7940e92f49c9f5f0cac0ae12cc9c9072c5308475bd5d093cdca: CustomerLoader payload
hxxp://5.42.94[.]169/customer/798: CustomerLoader’s C2 URL
missunno[.]com:80: Redline stealer’s C2
The post Hackers Use New .NET Loader Malware to Deliver Wide Range of Payloads appeared first on Cyber Security News.
Cyber Security News