Saturday, December 14, 2024
HomeCyber Security NewsBunnyLoader 3.0 Detected With Advanced Keylogging Capabilities

BunnyLoader 3.0 Detected With Advanced Keylogging Capabilities

Published on

SIEM as a Service

BunnyLoader is a rapidly developing malware that can steal information, credentials, and cryptocurrencies while also delivering new malware to its victims.

Since its first detection in September 2023, the BunnyLoader malware as a service (MaaS) has regularly enhanced its features. 

According to Palo Alto Networks, the consistent improvements of tactics, techniques, and procedures (TTPs) such as infrastructure, packers, encryption, and exfiltration methods aid in the attacker’s ability to avoid detection. 

- Advertisement - SIEM as a Service

It also aims to impede cybersecurity researchers’ capacity to identify and evaluate the actions of threat actors. 

The threat actor responsible for BunnyLoader declared the release of BunnyLoader 3.0 on February 11, 2024, claiming that the malware has been “completely redesigned and enhanced by 90%.”

The threat actor asserts that BunnyLoader payloads have been improved to include:

  • Payloads/modules “completely rewritten for improved performance”
  • Reduced payload size
  • Advanced keylogging capabilities

Evolution Of BunnyLoader

BunnyLoader has developed at a quick pace. Version 1.0, marketed as a C/C++ loader malware and MaaS botnet on the dark web. 

The “Player” or “Player_Bunny” threat actor is the one responsible for this malware. The malware’s creator prohibits deploying it on Russian systems.

By September 2023’s end, BunnyLoader had a rapid retooling. BunnyLoader 2.0 was released by the author and seen in the wild by the end of September.

A “private” version of the malware was made available by the creator in October for $350. In contrast to the initial release, the creator concealed this private version and released frequent updates to circumvent antivirus protections

Specifics Of BunnyLoader 3.0

Senior threat intelligence researcher @RussianPanda9xx publicly shared the release of BunnyLoader 3.0 on X (Twitter).

BunnyLoader 3.0, the most recent version, employs a distinct directory structure on its C2 servers.

The actual malicious payload in BunnyLoader 3.0 is delivered by the threat actor using a dropper that is incorporated with the BunnyLoader malware and is sent via a CMD file.

X (formerly known as Twitter) post by threat intelligence researcher @RussianPanda

When downloading the BunnyLoader 3.0 modules, researchers discovered the following URL structure.

BunnyLoader 3.0 module URLs

Advanced KeyLogging Capabilities

“The BunnyLoader 3.0 keylogger records all keystrokes, saving them to log files in the %localappdata%\Temp folder.

Palo Alto Networks researchers shared with Cyber Security News that the keylogger also attempts to identify when the victim authenticates to sensitive applications or services.

BunnyLoader keylogger log file locations

Additionally, the BunnyLoader 3.0 stealer module operates independently, exfiltrated data directly into the C2 server, and stole passwords.

Using a particular communication routine, the BunnyLoader 3.0 clipper module occasionally checks in with the C2.

By providing the target with the name of a cryptocurrency wallet and the associated wallet address that the threat actor controls, the C2 triggers the clipper.

The BunnyLoader 3.0 DoS module uses a particular communication procedure to wait for commands from the C2.

The module can be instructed by the C2 to launch an HTTP flood attack using the GET or POST protocol against a given URL.

Hence, by revealing these changing strategies and the dynamic nature of the threat, users must be better equipped to strengthen their defenses and safeguard their assets.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

“Password Era is Ending,” Microsoft to Delete 1 Billion Passwords

Microsoft has announced that it is currently blocking an astounding 7,000 password attacks every...

Over 300,000 Prometheus Servers Vulnerable to DoS Attacks Due to RepoJacking Exploit

The research identified vulnerabilities in Prometheus, including information disclosure from exposed servers, DoS risks...

Reyee OS IoT Devices Compromised: Over-The-Air Attack Bypasses Wi-Fi Logins

Researchers discovered multiple vulnerabilities in Ruijie Networks' cloud-connected devices. By exploiting these vulnerabilities, attackers...

New Android Banking Malware Attacking Indian Banks To Steal Login Credentials

Researchers have discovered a new Android banking trojan targeting Indian users, and this malware...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

“Password Era is Ending,” Microsoft to Delete 1 Billion Passwords

Microsoft has announced that it is currently blocking an astounding 7,000 password attacks every...

Over 300,000 Prometheus Servers Vulnerable to DoS Attacks Due to RepoJacking Exploit

The research identified vulnerabilities in Prometheus, including information disclosure from exposed servers, DoS risks...

Reyee OS IoT Devices Compromised: Over-The-Air Attack Bypasses Wi-Fi Logins

Researchers discovered multiple vulnerabilities in Ruijie Networks' cloud-connected devices. By exploiting these vulnerabilities, attackers...