Kardon Loader advertised in underground markets as an open beta product for sale the standalone built cost $50 and with separate charges for every additional rebuild or to build the Malware Distribution Network.

The malware strained dubbed Kardon Loader allowing it customer’s to create their own malware distribution networks and these networks are used by cybercriminals to create their own botnet for distributing various payloads, Ransomware and Trojans.

The advertisement first spotted On April 21, 2018, under the same user account Yattaze as ZeroCool botnet which was under development.

Now it has been rebranded to Kardon Loader and the author placed a professional looking advertisement with its own logo and the malware author also provided a disclaimer stating that “this software should not be used for malicious purposes“.

Kardon Loader

Security researchers from ASERT discovered the Kardon Loader malware advertisements on underground forums.

Functionality and Analysis – Kardon Loader

According to ASERT the malware author “initially conducted tests by leveraging a well-known botshop named Pink Panther’s automated loads shop (Pink)” and it was not yet widely distributed.

Kardon Loader Functionalities Advertised by Author

Bot Functionality
Download and Execute Task
Update Task
Uninstall Task
User-mode Rootkit
RC4 Encryption (Not Yet Implemented)
Debug and Analysis Protection
TOR Support
Domain Generation Algorithm (DGA)

For Command and Control Kardon Loader uses HTTP based C2 infrastructure with URL parameters that are base64 encoded and it will send the HTTP POSTs to C&C server using following fields.

ID = Identification Number
OS = Operating System
PV = User Privilege
IP = Initial Payload (Full Path)
CN = Computer Name
UN = User Name
CA = Processor Architecture

The Kardon Loader contain’s a simple control panel with a dashboard that shows botnet distribution and installs statistics as a notable feature in admin panel is “the bot store functionality allowing the bot admin to generate access keys to customers that would give them the ability to execute tasks based on the predefined parameters.

Researchers also leveraged Yara Rule, IOCs and Command and Control URLs to block the malicious activity.

The cybercrime continues to be a big business, last March DDoS Attack Services are advertised in Dark Web Markets for $10 per Hour and the codesigning certificates which proves the integrity of applications also sold in in dark web markets.

Also Read

Ransomware-as-a-Service – New Saturn Ransomware Available to Anyone For Free

Ransomware-as-a-Service – Now Anyone can Download Free Ransomware that is Available on Dark Web

Ranion Ransomware-as-a-Service launched on the Dark Web for ‘Educational Purposes’


Please enter your comment!
Please enter your name here