A new loader that is used to run and install additional malware on targeted systems was found by researchers at the Cyble Research and Intelligence Labs (CRIL). According to a Cyble blog, the found program or script of ‘AresLoader’ was used to download and run other malware including IcedID and Lumma Stealer as shown below:
Details of the loader: AresLoader
The AresLoader is written in the C programming language and was discovered in 2022. Cybercrime forums and a Telegram channel were found endorsing this loader on a Malware-as-a-Service (MaaS) model. It is available for rent at a rate of $300 a month, along with 5 rebuilds.
The advertisement on cybercrime forums says that the service is provided manually, in case the buyer seeks a rebuild which was priced at $50. Buyers would become users of the cybercrime forums post purchasing a license, the endorsement for AresLoader read.
It was confirmed by CRIL researchers that AresLoader was developed by cybercriminals who worked on the AiD Locker ransomware.
Anti-detection mechanism of AresLoader
One of the main objectives of the AresLoader is to avoid detection via encryption or obfuscation of the payload. This makes it difficult for antivirus and other detection tools to find it running in the system.
AresLoader is still a work in progress with inconsistent code extraction and injection methods which was seen across its binary. This is also estimated to be a maneuver to avoid detection.
Upon execution, AresLoader calls the CreateWindowEx() API. It was also found that the window procedure function of this API did not contain any malicious files, possibly to evade detection. Furthermore, the loader also executes the API hashing technique to complicate detection and analysis, Cyble noted in its blog.
Distribution of the AresLoader
The AresLoader was distributed to buyers via a GitLab repository found at – hxxps[:]//gitlab.com/citrixchat-project/citrixproject/ as shown below:
Disguised as a Citrix project, the loader was distributed openly on GitHub repository. This might be because the cybercriminals were aiming to target Citrix users with the AresLoader. Named AG.exe, AresLoader would download LummaStealer and IcedID payloads.
Citrix is a United States-based multinational cloud computing company with over 9,700 employees.
Both LummaStealer and IcedID steal information from systems and were distributed using phishing emails. While the former has been observed to be targeting YouTube users, the latter was programmed to attack the Zoom application.
Technical details of AresLoader
- AresLoader is a 32-bit binary executable (SHA:256)
- It occupies a memory area and gains permission to read, write, and execute actions using the function ZwAllocateVirtualMemory().
- It accesses the IP address of the targeted device and steals other data from it.
- It creates a folder in the AppData\\Roaming directory to save the newly downloaded payloads.