Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Friday, 3 February, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Malware Loaders Continue to Evolve, Proliferate

by The Gurus
August 1, 2018
in This Week's Gurus
malware
Share on FacebookShare on Twitter

Loaders, for the most part, have one job: grab malicious executables or payloads from an attacker-controlled server. But that doesn’t mean there isn’t more happening under the hood of some, such as a user-friendly UI, self-healing capabilities, or the equivalent of a retail shop where a botmaster can sell his bots to potential clients.

Loaders are essentially basic remote access Trojans that give an attacker the ability to remotely interact with and control a compromised computer, or bot. While traditionally lightweight (smaller than 50 KB in size) in order to bypass detection by antivirus and other security monitoring technology, loaders evolve, and their viability to cybercriminals remains.

Two relatively new loaders, Aurora and Kardon, may be an indication of what kinds of features criminals are trying to incorporate into these bits of malicious code. These new loaders have been advertised on lower-tier Russian-language forums since March and May respectively—most loaders start out on lower-tier Russian forums before they pop up on more elite English-speaking forums—and are more complex than the simpler loaders that are generally preferred by buyers.

Aurora is making buyers take notice, not only because it is advertised as fully undetectable, but also because it allows the creation of resilient botnets by using a system of self-healing bots. Once executed, the loader instructs bots to create three branches of independent botnets, and down the road if it detects that one branch has been compromised, it will self-heal from the other two and spread the loaders to new victims, creating a new botnet. This makes takedowns challenging.

Aurora also comes with relatively standard features for a loader. Aurora’s capabilities including a control panel, the ability to classify victims based on location, the ability to attach multiple files to the initial loader as well as files from the seller and customers’ servers. It can also execute commands from the victim’s command terminal and report back system information to the attacker, or self-delete if detected.

Kardon, meanwhile, arrives on compromised computers with a fully integrated botshop, which is a simple platform that can be used to sell access to bots from the attacker’s botnet to other threat actors. Unlike other feature-heavy loaders that are usually flamed on underground forums because they increase the risk for detection, Aurora and Kardon are garnering some interest, including mentions about Kardon on top-tier forums.

Loaders are generally the first-stage in a compromise, and are spread through a variety of common vectors, including email or drive-by downloads. Unlike their cousins, the dropper, loaders don’t come pre-installed with payloads, and instead they download them from a remote URL. Updates and new features generally come in the early stages of a loader’s development. In some cases, the source code for a particular loader may be publicly leaked and several variants begin popping up on different forums.

These updates are long way from Smoke Loader, which has been distributed since 2011 and it too has been updated and patched numerous times since. Smoke Loader is still used today, and analysts are aware of its use in multiple botnet attacks and infections. As such, this loader serves as an example of a successful loader life cycle. Initially, there were two versions of Smoke, one a resident loader that came attached with a malicious payload, and a non-resident version that allowed a threat actor to remotely upload additional payloads.

It immediately gained favour on forums for its size and ability to bypass antivirus and firewall detection. Within months it was advertised on top-tier Russian- and English-speaking forums where sellers and buyers vouched for its capabilities. Smoke’s progression also changed threat actors’ behaviour patterns in the later stages of the loader’s development to the point where they eventually begin to purchase entire botnets, as opposed to acquiring just one bot and spreading the loader themselves. Successful loaders can also become integrated into exploit kits; Smoke, for example, was part of the Rig exploit kit for some time. Some key arrests, however, have stalled the activity around a number of major exploit kits.

Flashpoint analysts believe new loaders such as Aurora and Kardon will travel a similar path as Smoke Loader, beginning on lower-tier forums before reaching the top tier. As the loaders grow in popularity, based on the prior history of loader development and implementation, Flashpoint analysts assess with high confidence that they will likely receive upgrades and new features that keep them relevant in the cybercriminal underground.

FacebookTweetLinkedIn
Tags: CybersecurityTechnology
ShareTweetShare
Previous Post

Mimecast acquires Israeli cybersecurity vendor Solebit for $88m

Next Post

Cybersecurity Is an Ever-Changing Battlefield

Recent News

london-skyline-canary-wharf

Ransomware attack halts London trading

February 3, 2023
Ransomware conversations: Why the CFO is pivotal to discussing and preparing for risk

Ransomware conversations: Why the CFO is pivotal to discussing and preparing for risk

February 2, 2023
JD Sports admits data breach

JD Sports admits data breach

January 31, 2023
Acronis seals cyber protection partnership with Fulham FC

Acronis seals cyber protection partnership with Fulham FC

January 30, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information