In early September 2023, security researchers discovered a new and evolving Malware-as-a-Service (MaaS) threat called "BunnyLoader." This report provides a detailed analysis of BunnyLoader, its capabilities, and the associated security implications.
BunnyLoader is a malicious software loader written in C/C++ that is available for purchase on underground forums. It is designed to facilitate various cybercriminal activities, including downloading and executing second-stage payloads, stealing sensitive data, manipulating clipboard content, and executing remote commands. BunnyLoader employs advanced anti-sandbox techniques to evade detection and operates with a fileless loading feature that makes it challenging for antivirus solutions to remove it. The malware has been under rapid development since its initial release on September 4, 2023.
Upgrade and New Threat Vector:
BunnyLoader's continuous development is evident through numerous feature updates and bug fixes released between September 4th and September 27th, 2023. These updates address various issues, enhance anti-virus evasion capabilities, and add new functionalities, such as keylogging, cryptocurrency address manipulation, and remote command execution. Additionally, the malware has expanded its target list to include a wider range of sensitive data and has incorporated anti-analysis techniques to improve its stealth.
SIEM Rules Refinement:
To detect and respond to the BunnyLoader threat effectively, it is crucial to refine Security Information and Event Management (SIEM) rules. SIEM rules should be updated to include indicators of compromise (IOCs) associated with BunnyLoader, such as network traffic patterns, system registry changes, and behavioral anomalies. Rules should also incorporate known evasion techniques and signatures.
Indicators of Compromise (IOCs):
- Detecting BunnyLoader requires vigilant monitoring and the use of IOCs. Below are some key IOCs associated with
- Filesystem changes: Check for new registry values, particularly "Spyware_Blocker," in the Run registry key.
- Anti-VM techniques: Look for signs of VM detection, including module checks, VM queries, Docker container checks, and blacklisted sandbox usernames.
- Network traffic patterns: Monitor for HTTP requests to known C2 servers, including specific paths and user agents.
- Data exfiltration: Identify outbound network traffic to suspicious destinations, especially to exfiltrate compressed ZIP archives.
- Keylogger artifacts: Detect the presence of the "Keystrokes.txt" file in the "AppData\Local" directory.
Organisations should develop a multi-layered security strategy to reduce the danger posed by BunnyLoader and like threats:
- User Education: Provide staff with cybersecurity awareness training to inform them of the risks associated with downloading files from dubious sources and clicking on shady links.
- Network security: Use strong firewall and intrusion detection systems to watch for anomalies and known IOCs in network traffic.
- Endpoint Protection: Use current antivirus and anti-malware programmes on all endpoints to ensure endpoint protection. Make that the fileless malware scanning option is enabled in the endpoint security programme.
- Patch management: To address vulnerabilities that malware may exploit, keep operating systems and software programmes updated with the most recent security patches.
- Email Filtering: Use email filtering programmes to stop phishing emails and dangerous attachments.
SIEM and Threat Intelligence: Leverage SIEM solutions to continuously monitor for unusual activity and integrate threat intelligence feeds to stay updated on emerging threats.
- Access Control: Restrict user privileges and access to sensitive systems and data, limiting the impact of successful malware infections.
- Regular Backups: Maintain regular and secure backups of critical data to facilitate recovery in case of data loss due to a malware attack.
BunnyLoader is a dynamic and evolving MaaS threat that poses a significant risk to organizations and individuals. Its continuous development and the wide range of malicious activities it can perform make it a formidable tool for cybercriminals. Staying informed about BunnyLoader's tactics and techniques, refining SIEM rules, and implementing proactive security measures are essential steps to defend against this threat. Organizations must remain vigilant and prepared to respond effectively to emerging threats like BunnyLoader to safeguard their data and systems.