Researchers has identified an emerging Malware-as-a-Service (MaaS) threat known as BunnyLoader, available on underground forums.
BunnyLoader, primarily written in C/C++, is a fileless loader that conducts malicious activities in memory, making detection more challenging for cybersecurity experts. It features a range of capabilities, including keylogging, clipboard monitoring to hijack cryptocurrency wallet addresses and remote command execution.
Since its initial release on September, 2023, BunnyLoader has witnessed several iterations, each bringing enhancements and fixes. These updates address bugs, introduce new functionalities, and adapt to thwart analysis attempts. The malware now offers options for payload and stub purchases at $250 and $350, respectively.
The core of BunnyLoader’s operations revolves around its C2 panel, which oversees various tasks, including downloading and executing additional malware, keylogging, credential theft, clipboard manipulation for cryptocurrency theft and remote command execution. The C2 panel also offers statistics, client tracking and task management, providing the threat actor with extensive control over infected machines.
The malware’s keylogger records keystrokes and the stealer component exfiltrates a wide range of data, including information from web browsers, cryptocurrency wallets and VPN clients. The malware remains persistence and have enhanced sandbox tactics that can detect virtual environments and employs various techniques to evade analysis.
The clipper module is another concerning feature that scans a victim’s clipboard for cryptocurrency addresses and replaces them with controlled wallet addresses. This enables attackers to divert cryptocurrency transactions.
This research was documented by researchers from ZScaler
Indicators of Compromise