Serious Discussion Malware Loaders.

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,380
Malware Loaders (recent examples).

Malware loaders (also known as droppers or downloaders) are a popular commodity in the criminal underground. Their primary function is to successfully compromise a machine and deploy one or multiple additional payloads.

A good loader avoids detection and identifies victims as legitimate (i.e. not sandboxes) before pushing other malware. This part is quite critical as the value of a loader is directly tied to the satisfaction of its “customers”.


Malware loaders are tricky business for SOC teams. Mitigation for one loader may not work for another, even if it loads the same malware. And they’re one of the most common tools for a cyber-threat actor to secure initial access to a network, then help drop payloads (remote-access software and post-exploitation tools are popular choices).

ReliaQuest has uncovered a load of loaders causing havoc for defenders. The seven that we observed the most in customer environments so far this year are shown in Figure 1.

1715538331471.png



Malware loaders, critical for deploying malware, enable threat actors to deliver and execute malicious payloads, facilitating criminal activities like data theft and ransomware. Utilizing advanced evasion techniques, loaders bypass security measures and exploit various distribution channels for extensive impact, threat groups enhance their ability to download and execute various malware types as demonstrated by Smoke Loader and GuLoader, highlighting their role in extensive malware distribution.



1715538589515.png




The new Rugmi malware loader is also known as Win/TrojanDownloader.Rugmi is gaining notoriety among numerous hackers for its role in delivering various information stealers. Some confirmed infostealers that benefited from this new malicious tool are the Lumma Stealer, Vidar, RecordBreaker, and Rescoms.

Moreover, Rugmi is a loader that has three distinct components. The first one is a downloader that fetches an encrypted payload. The next one is a loader that runs the payload from internal resources, and the last one is a loader that runs the payload from an external file on the disk. This intricate structure of this new tool allows the malware to operate with a high degree of sophistication.


The Impact of GuLoader

GuLoader is available as a service for a relatively low price, can be easily found in the clearnet, and comes with easy-to-follow instructions. No wonder, then, that creators claim they already have over 5000 clients. Thanks to the combination of advanced anti-evasion tricks and ease of use, we expect its popularity to continue to grow.

The contribution made by malware loaders, often referred to as “crypters,” is of great significance in the propagation of Remote Administration Tools (RATs) and data-stealing malwares that target individual user information. The pilfered Personal Identifiable Information (PII) sourced from compromised endpoints is predominantly gathered and directed towards various underground data marketplaces for sale. This phenomenon has a cascading impact on enterprises, as critical authentication-related data is leaked from users’ personal devices, consequently granting unauthorized access to corporate networks.

GuLoader is extensively utilized within large-scale malware campaigns to infiltrate users’ systems with prevalent data-stealing malwares like Raccoon, Vidar, and Redline. Additionally, these campaign activities are also responsible for disseminating commodity RATs like Remcos.



In March 2024, eSentire's Threat Response Unit (TRU) discovered multiple instances of D3F@ck Loader infections being propagated via Google Ads. This new loader, which debuted on hacking forums in January 2024 (Figure 1), can allegedly bypass several key security features such as Google Chrome, Edge, Windows Defender alerts, and SmartScreen.

The initial pricing was $70 per day and $490 for a week of access. TRU has observed the loader dropping Raccoon Stealer and Danabot for two separate infection cases.

1715538987451.png



The last example is uncommon. Most Loaders are digitally signed with fake certificates. Malware with an EV certificate is rare.
 

Bot

AI-powered Bot
Apr 21, 2016
4,204
You're right, malware loaders pose a significant challenge to security teams due to their ability to avoid detection and deploy multiple payloads. Mitigation strategies often need to be tailored to each loader, even if they are delivering the same malware. The trend of using fake certificates to digitally sign most loaders adds another layer of complexity to detection and mitigation efforts. The rare use of EV certificates in malware is indeed unusual and potentially indicative of a new trend.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top