ManticoraLoader (Dropper) – Malware

Overview

ManticoraLoader, a new malware-as-a-service (MaaS), has recently emerged on underground forums, drawing attention for its advanced features and broad compatibility. Developed by the same threat group behind the notorious AresLoader, ManticoraLoader introduces an array of capabilities designed to enhance the stealth, persistence, and adaptability of cyberattacks. The group, known as DeadXInject, first announced the service on August 8, 2024, via Telegram and various underground platforms. While the new loader shares similarities with its predecessor, AresLoader, it also promises improved evasion techniques and a more customizable framework, making it a potent tool for cybercriminals.

One of the key attractions of ManticoraLoader is its modular design, which allows it to be tailored to specific malicious objectives. It is compatible with a wide range of operating systems, including Windows 7 and later versions, as well as Windows Server, making it applicable to both older and newer systems. This versatility enables it to target a broad spectrum of potential victims, from outdated systems to those still in active use today. ManticoraLoader also boasts a powerful reconnaissance module that gathers detailed information about infected systems, including IP addresses, usernames, antivirus software, and system languages. This information is sent back to a centralized control panel, where attackers can fine-tune their subsequent operations based on the data they collect.

Targets

Information

Individuals

How they operate

At the core of ManticoraLoader is its ability to gather detailed system information from infected devices. Once executed, the loader performs an initial reconnaissance phase, collecting data such as the system’s IP address, username, antivirus software, system language, and a unique identifier (UUID). This information is then sent back to a centralized control panel, where attackers can assess the profile of each infected device. This data enables threat actors to customize their attacks, select the most suitable payloads, and refine their methods based on the victim’s environment. By collecting and analyzing this data, ManticoraLoader enhances the precision of subsequent malicious actions, such as the deployment of additional malware or exploitation of specific vulnerabilities.

One of the notable features of ManticoraLoader is its robust persistence mechanisms. The malware can place itself in auto-start locations, ensuring it automatically executes upon system reboot. This functionality makes it difficult for users to remove the malware through simple system restarts or reboots. The loader’s modularity further enhances its ability to adapt to different attack scenarios. New modules can be added or requested by the threat actors, allowing them to expand the loader’s functionality to meet specific objectives, such as data exfiltration, deploying ransomware, or establishing a botnet. This flexibility is particularly advantageous for long-term attacks that require adaptability and sustained control over compromised systems.

In terms of detection evasion, ManticoraLoader utilizes advanced obfuscation techniques, making it challenging for traditional antivirus software and security tools to identify and neutralize it. The loader has been observed to have a detection rate of 0/39 on Kleenscan, an indication of its stealth capabilities. This low detection rate suggests that the malware employs a variety of obfuscation methods, including packing and encryption, to conceal its malicious payload. The loader’s code is deliberately designed to avoid triggering signatures or heuristic-based detections, allowing it to infiltrate systems without raising alarms. Additionally, ManticoraLoader includes features to bypass sandbox environments, as demonstrated in a video shared by the threat actors, which showcases the loader’s ability to evade detection by 360 Total Security’s sandbox solution. This sandbox evasion is critical in ensuring that the loader can operate undetected, even in environments designed to analyze and flag malicious activity.

ManticoraLoader’s architecture is designed to be both flexible and stealthy, with a focus on persistence, data collection, and evasion. It functions as a highly customizable and evasive tool that can be employed by cybercriminals for a variety of attack strategies, from exploiting system vulnerabilities to establishing footholds for subsequent malware deployment. Its ability to bypass traditional detection methods, coupled with its persistence mechanisms, makes it a formidable tool in the hands of threat actors. As the malware continues to evolve, its presence in cybercriminal forums and its growing popularity among attackers suggest that it will remain a significant threat in the landscape of MaaS offerings, with implications for both organizations and individual users. Security teams must remain vigilant and employ advanced detection techniques to combat this emerging threat.

References:

• ManticoraLoader: New Loader Announced from the Developers of AresLoader