Serious Discussion Malware Loaders.

Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,188
Malware Loaders (recent examples).

Malware loaders (also known as droppers or downloaders) are a popular commodity in the criminal underground. Their primary function is to successfully compromise a machine and deploy one or multiple additional payloads.

A good loader avoids detection and identifies victims as legitimate (i.e. not sandboxes) before pushing other malware. This part is quite critical as the value of a loader is directly tied to the satisfaction of its “customers”.

www.threatdown.com

New Go loader pushes Rhadamanthys stealer

A malicious ad for the popular admin tool PuTTY leads victims to a fake site that downloads malware.
www.threatdown.com www.threatdown.com
Click to expand...

Malware loaders are tricky business for SOC teams. Mitigation for one loader may not work for another, even if it loads the same malware. And they’re one of the most common tools for a cyber-threat actor to secure initial access to a network, then help drop payloads (remote-access software and post-exploitation tools are popular choices).

ReliaQuest has uncovered a load of loaders causing havoc for defenders. The seven that we observed the most in customer environments so far this year are shown in Figure 1.

1715538331471.png


www.reliaquest.com

3 Malware Loaders You Can’t (Shouldn't) Ignore - ReliaQuest

Loader malware is working behind the scenes in many organizations' environments, doing the heavy lifting that helps an infection spread. ReliaQuest has picked out the most commonly observed loaders and outlined why SOC analysts should worry about them, plus how to defend against them.
www.reliaquest.com www.reliaquest.com
Click to expand...

Malware loaders, critical for deploying malware, enable threat actors to deliver and execute malicious payloads, facilitating criminal activities like data theft and ransomware. Utilizing advanced evasion techniques, loaders bypass security measures and exploit various distribution channels for extensive impact, threat groups enhance their ability to download and execute various malware types as demonstrated by Smoke Loader and GuLoader, highlighting their role in extensive malware distribution.

www.trustwave.com

Agent Tesla's New Ride: The Rise of a Novel Loader

Malware loaders enable threat actors to deliver and execute malicious payloads, facilitating criminal activities like data theft and ransomware.
www.trustwave.com www.trustwave.com
Click to expand...


1715538589515.png



thehackernews.com

Hijack Loader Malware Employs Process Hollowing, UAC Bypass in Latest Version

A newer version of the Hijack Loader malware has been observed with updated anti-analysis techniques to evade detection.
thehackernews.com thehackernews.com
Click to expand...

The new Rugmi malware loader is also known as Win/TrojanDownloader.Rugmi is gaining notoriety among numerous hackers for its role in delivering various information stealers. Some confirmed infostealers that benefited from this new malicious tool are the Lumma Stealer, Vidar, RecordBreaker, and Rescoms.

Moreover, Rugmi is a loader that has three distinct components. The first one is a downloader that fetches an encrypted payload. The next one is a loader that runs the payload from internal resources, and the last one is a loader that runs the payload from an external file on the disk. This intricate structure of this new tool allows the malware to operate with a high degree of sophistication.

Click to expand...

The Impact of GuLoader

GuLoader is available as a service for a relatively low price, can be easily found in the clearnet, and comes with easy-to-follow instructions. No wonder, then, that creators claim they already have over 5000 clients. Thanks to the combination of advanced anti-evasion tricks and ease of use, we expect its popularity to continue to grow.

The contribution made by malware loaders, often referred to as “crypters,” is of great significance in the propagation of Remote Administration Tools (RATs) and data-stealing malwares that target individual user information. The pilfered Personal Identifiable Information (PII) sourced from compromised endpoints is predominantly gathered and directed towards various underground data marketplaces for sale. This phenomenon has a cascading impact on enterprises, as critical authentication-related data is leaked from users’ personal devices, consequently granting unauthorized access to corporate networks.

GuLoader is extensively utilized within large-scale malware campaigns to infiltrate users’ systems with prevalent data-stealing malwares like Raccoon, Vidar, and Redline. Additionally, these campaign activities are also responsible for disseminating commodity RATs like Remcos.

GuLoader Downloaded: A Look at the Latest Iteration

GuLoader stands out as a prominent downloader founded on shellcode that has been used in many attacks. We delve into its delivery methods and impact.
cyberint.com cyberint.com
Click to expand...


In March 2024, eSentire's Threat Response Unit (TRU) discovered multiple instances of D3F@ck Loader infections being propagated via Google Ads. This new loader, which debuted on hacking forums in January 2024 (Figure 1), can allegedly bypass several key security features such as Google Chrome, Edge, Windows Defender alerts, and SmartScreen.

The initial pricing was $70 per day and $490 for a week of access. TRU has observed the loader dropping Raccoon Stealer and Danabot for two separate infection cases.

1715538987451.png


www.esentire.com

D3F@ck Loader, the New MaaS Loader

Learn more about the D3F@ck Loader malware and get security recommendations from our Threat Response Unit (TRU) to protect your business from this cyber…
www.esentire.com www.esentire.com
Click to expand...

The last example is uncommon. Most Loaders are digitally signed with fake certificates. Malware with an EV certificate is rare.
 
  • Like
  • Hundred Points
  • Applause
Reactions: silversurfer, cryogent, ForgottenSeer 109138 and 4 others
Bot

Bot

AI-powered Bot
Apr 21, 2016
3,587
You're right, malware loaders pose a significant challenge to security teams due to their ability to avoid detection and deploy multiple payloads. Mitigation strategies often need to be tailored to each loader, even if they are delivering the same malware. The trend of using fake certificates to digitally sign most loaders adds another layer of complexity to detection and mitigation efforts. The rare use of EV certificates in malware is indeed unusual and potentially indicative of a new trend.
 

Similar threads

Captain Awesome
    • Like
    • +Reputation
Malware News New Rugmi Malware Loader Surges with Hundreds of Daily Detections
Replies
0
Views
1,159
Security News
Captain Awesome
Captain Awesome
Andy Ful
    • +Reputation
    • Like
    • Applause
An example of why malware testing should include real-world infection vectors.
Replies
1
Views
336
Security Statistics and Reports
Bot
Bot
silversurfer
    • Like
    • +Reputation
Malware News DJVU Ransomware's Latest Variant 'Xaro' Disguised as Cracked Software
Replies
5
Views
1,960
Security News
Keyang556
Keyang556

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top