A new and alarming cybersecurity threat has emerged known as BunnyLoader, which operates as a malware-as-a-service (MaaS) offering within the cybercrime underground.
Researchers from Zscaler ThreatLabz have recently analyzed BunnyLoader and uncovered its diverse range of capabilities, including downloading and executing second-stage payloads, stealing browser credentials and system information, and more.
This C/C++-based loader is available for a lifetime license at a price of $250, and it has been continuously evolving since its initial appearance in September 2023. The updates to BunnyLoader have included the integration of anti-sandbox and antivirus evasion techniques.
One of BunnyLoader’s standout features is its fileless loading capability, making it exceptionally challenging for antivirus solutions to detect and remove the malware.
The BunnyLoader campaign is managed through a command-and-control (C2) panel, allowing buyers to monitor active tasks, infection statistics, and the number of connected and inactive hosts, among other things. It also enables remote control of compromised machines and data purging.
The exact method used to distribute BunnyLoader initially remains unclear. However, once it infects a system, it establishes persistence via changes to the Windows Registry and conducts various checks to detect sandbox and virtual machine environments.
The malware then proceeds to send task requests to a remote server and fetches responses, enabling tasks such as downloading and executing additional malware, running a keylogger and data stealer, and redirecting cryptocurrency payments.
Security experts are closely monitoring BunnyLoader due to its continuously evolving tactics and the addition of new features. This MaaS threat poses a significant risk to potential targets, given its advanced capabilities and ability to evade detection, making it crucial for organizations to remain vigilant and adopt robust cybersecurity measures to defend against evolving cyber threats like BunnyLoader.
