Ethical Hacking News
A new stealthy malware loader called BabbleLoader has been spotted delivering WhiteSnake and Meduza stealers, making it a significant threat to cybersecurity professionals and organizations. According to Intezer researchers, the loader is designed to bypass antivirus and sandbox environments with ease, using a range of evasion techniques to evade detection.
BabbleLoader is a new stealthy malware loader that bypasses antivirus and sandbox environments with ease. The malware loader delivers stealers, such as WhiteSnake and Meduza, which steal sensitive data from infected systems. BabbleLoader is used in campaigns targeting English and Russian-speaking individuals, primarily tricking users into installing the malware. Loaders have become a prevalent method to deliver malware, sidestepping traditional antivirus defenses with evasion techniques. BabbleLoader uses junk code and metamorphic transformations to bypass detection systems, causing manual analysis due to excessive noise. The loader's unique structure and metadata force AI models to continuously re-learn, leading to missed detections or false positives.
In a recent development that has sent shockwaves through the cybersecurity community, researchers at Intezer have identified a new stealthy malware loader called BabbleLoader. This malicious software is designed to bypass antivirus and sandbox environments with ease, making it difficult for security software to detect and remove. According to Ryan Robinson, an Intezer security researcher, BabbleLoader is "an extremely evasive loader, packed with defensive mechanisms, that is designed to deliver stealers into memory."
The BabbleLoader malware loader has been observed in the wild delivering information stealer families such as WhiteSnake and Meduza. These types of malware are notorious for stealing sensitive data from infected systems, including login credentials, credit card numbers, and other personal identifiable information.
Evidence suggests that BabbleLoader is being used in several campaigns targeting both English and Russian-speaking individuals, primarily singling out users looking for generic cracked software as well as business professionals in finance and administration by passing it off as accounting software. This tactic is designed to trick users into installing the malware, which can then deliver a range of malicious payloads.
Loaders have become an increasingly prevalent method to deliver malware, such as stealers or ransomware, often acting as the first stage in an attack chain in a manner that sidesteps traditional antivirus defenses by incorporating a bevy of anti-analysis and anti-sandboxing features. This is evidenced in the steady stream of new loader families that have emerged in recent years, including but not limited to Dolphin Loader, Emmenhtal, FakeBat, and Hijack Loader.
The BabbleLoader malware loader stands out from its predecessors due to its extensive use of evasion techniques designed to fool both traditional and AI-based detection systems. This encompasses the use of junk code and metamorphic transformations that modify the loader's structure and flow to bypass signature-based and behavioral detections. Furthermore, the excessive addition of meaningless, noisy code causes disassembly or decompilation tools like IDA, Ghidra, and Binary Ninja to crash, forcing a manual analysis.
"It each build of the loader will have unique strings, unique metadata, unique code, unique hashes, unique encryption, and a unique control flow," Robinson said. "Each sample is structurally unique with only a few snippets of shared code. Even the metadata of the file is randomized for each sample."
"This constant variation in code structure forces AI models to continuously re-learn what to look for — a process that often leads to missed detections or false positives," he concluded.
The loader, at its core, is responsible for loading shellcode that then paves the way for decrypted code, a Donut loader, which, in turn, unpacks and executes the stealer malware. This allows the malware to steal sensitive data from infected systems, including login credentials, credit card numbers, and other personal identifiable information.
The development comes as Rapid7 detailed a new malware campaign that distributes a new version of LodaRAT that's equipped to steal cookies and passwords from Microsoft Edge and Brave, in addition to gathering all kinds of sensitive data, delivering more malware, and granting remote control of compromised hosts. It's been active since September 2016.
The cybersecurity company said it "spotted new versions being distributed by Donut loader and Cobalt Strike," and that it "observed LodaRAT on systems infected with other malware families like AsyncRAT, Remcos, XWorm, and more." That said, the exact relationship between these infections remains unclear.
It also follows the discovery of Mr.Skeleton RAT, a new malware based on njRAT, that has been advertised on the cybercrime underground and comes with functionality for "remote access and desktop operations, file/folder and registry manipulation, remote shell execution, keylogging, as well as remote control of the devices' camera."
In conclusion, the BabbleLoader malware loader represents a significant threat to cybersecurity professionals and organizations around the world. Its extensive use of evasion techniques designed to fool both traditional and AI-based detection systems makes it difficult for security software to detect and remove.
Related Information:
https://thehackernews.com/2024/11/new-stealthy-babbleloader-malware.html
https://securitricks.com/attackreports/the-abuse-of-itarian-rmm-by-dolphin-loader
https://otx.alienvault.com/pulse/66c3479768ec16f58ae7dfe7
https://any.run/malware-trends/xworm
https://thehackernews.com/2023/09/inside-code-of-new-xworm-variant.html
https://cybermaterial.com/new-njrat-malware-variant-found-in-the-wild/
Published: Mon Nov 18 13:28:43 2024 by llama3.2 3B Q4_K_M
