Hackers Use New .NET Loader Malware to Deliver Wide Range of Payloads

Hackers Use New .NET Loader Malware to Deliver Wide Range of Payloads

An unrecorded .NET Loader was identified during routine threat hunting that downloads, decrypts, and executes a wide range of malicious payloads. 

Multiple threat actors extensively distributed this new loader in early June 2023 through the following mediums:-

Malicious phishing emails

Deceptive YouTube videos

Fake web pages mimicking legitimate websites
Ditribution mediums (Source – Sekoia)

The cybersecurity researchers at Sekoia identified this new .NET loader and named this newly discovered loader malware “CustomerLoader.”

Security analysts appointed this name due to its Command and Control (C2) communications containing the term “customer” and its loading functionalities.

.NET Loader to Deliver Payloads

CustomerLoader exclusively retrieves dotRunpeX samples, which in turn deliver a diverse range of malware families like:-


Remote Access Trojans (RAT)

Commodity ransomware

In March 2023, the security experts at Checkpoint publicly documented dotRunpeX as a .NET injector that is equipped with multiple anti-analysis techniques.

The association between CustomerLoader and an undisclosed Loader-as-a-Service is highly probable.

The dotRunpeX developer may have added CustomerLoader as a stage before the injector is executed.

Infection chain (Source – Sekoia)

CustomerLoader samples employ multiple code obfuscation techniques, disguising themselves as legitimate apps. This slows down and extends the analysis, likely due to easy-to-use .NET code obfuscation tools. 

However, there are numerous such tools that are accessible via NotPrab/.NET-Obfuscator GitHub repository, even for non-experts as well.

CustomerLoader uses AES in ECB mode for string obfuscation, with the decryption key stored in plaintext within the PE.

CustomerLoader evades detection by patching the AmsiScanBuffer function in amsi.dll, returning AMSI_RESULT_CLEAN to bypass antivirus. This marks the buffer as clean and permits the safe execution of malicious payloads.

Function that patches AmsiScanBuffer (Source – Sekoia)

The loader executes the customer payload following this process:-

From an embedded URL, an HTML page is downloaded by the CustomerLoader.

An encoded base64 string is extracted using regex: “/!!!(.*?)!!!/”

Then the base64 string is decoded and decrypted by it.

Then the payload is executed in memory using the reflective code technique.

The method of code reflection is obfuscated by shuffling, enabling the loading of .NET functions using the following function:-


The encrypted payloads are retrieved by the CustomerLoader samples from their C2 server, with each payload linked to a unique customer ID that is hosted at:- 


The CustomerLoader samples were directly connected to C2 server IP 5.42.94[.]169 via HTTP between  31 May and 20 June 2023. While the C2 server switched to the domain kyliansuperm92139124[.]sbs and HTTPS, protected by Cloudflare on 20 June 2023.

The domain acts as a proxy, while the backend server remains 5.42.94[.]169. This C2 server changes likely aims to evade network detections and hinder security researchers’ analysis, according to Sekoia.io analysts.

Malware Families Distributed

Here below we have mentioned all the malware families that are distributed by CustomerLoader:-










Kraken Keylogger












Variant of WannaCry

TZW ransomware

CustomerLoader distributes the following malware families, each associated with a distinct number of unique botnets:-

Redline: over 80 botnets

Quasar: 45 botnets

Vidar: 9 botnets

Remcos: 6 botnets

Stealc: 4 botnets

Formbook: 4 botnets

CustomerLoader, when combined with the dotRunpeX injector, enhances compromise rates by reducing the detection of the final payload, despite lacking advanced techniques.


hxxp://smartmaster.com[.]my/48E003A01/48E003A01.7z: Payload delivery URL

d40af29bbc4ff1ea1827871711e5bfa3470d59723dd8ea29d2b19f5239e509e9: Archive

3fb66e93d12abd992e94244ac7464474d0ff9156811a76a29a76dec0aa910f82: CustomerLoader payload

hxxp://5.42.94[.]169/customer/735: CustomerLoader’s C2 URL

hxxps://telegra[.]ph/Full-Version-06-03-2: Malicious redirection webpage

hxxps://tinyurl[.]com/bdz2uchr: Shortened URL redirecting to the payload delivery URL

hxxps://www.mediafire[.]com/file/nnamjnckj7h80xz/v2.4_2023.rar/file: Payload delivery URLs

hxxps://www.mediafire[.]com/file/lgoql94feiic0x7/v2.5_2023.rar/file: Payload delivery URLs

65e3b326ace2ec3121f17da6f94291fdaf13fa3900dc8d997fbbf05365dd518f: Archive

7ff5a77d6f6b5f1801277d941047757fa6fec7070d7d4a8813173476e9965ffc: Archive

c05c7ec4570bfc44e87f6e6efc83643b47a378bb088c53da4c5ecf7b93194dc6: CustomerLoader payload

hxxp://5.42.94[.]169/customer/770: CustomerLoader’s C2 URL

45.9.74[.]99: Raccoon stealer’s C2

5.42.65[.]69: Raccoon stealer’s C2

hxxps://slackmessenger[.]site/: Malicious webpage impersonating Slack website

hxxps://slackmessenger[.]pw/slack.zip: Payload delivery

695f138dd517ded4dd6fcd57761902a5bcc9dd1da53482e94d70ceb720092ae6: Archive

b8f5519f7d66e7940e92f49c9f5f0cac0ae12cc9c9072c5308475bd5d093cdca: CustomerLoader payload

hxxp://5.42.94[.]169/customer/798: CustomerLoader’s C2 URL

missunno[.]com:80: Redline stealer’s C2

The post Hackers Use New .NET Loader Malware to Deliver Wide Range of Payloads appeared first on Cyber Security News.

   Read More 

Cyber Security News