Sunday, December 8, 2024
HomeCyber Security NewsNew ManticoraLoader - Malware Attacking Citrix Users To Steal Data

New ManticoraLoader – Malware Attacking Citrix Users To Steal Data

Published on

SIEM as a Service

Cyble Research & Intelligence Labs has recently found information about a new type of malware-as-a-service (MaaS) called ‘ManticoraLoader’ in some underground forums.

Since August 8, 2024, on forums and Telegram, this MaaS service has been offered by the threat group “DeadXInject.”

Advertisement on the Telegram (Source – Cyble)

These actors were also behind the development of the “AresLoader” malware and went after Citrix users back in April 2023. Besides this, they are also connected to the “AiDLocker” ransomware from late 2022.

- Advertisement - SIEM as a Service

ManticoraLoader is a C-based malware and researchers identified that it has been actively attacking Citrix users to steal data.

Technical Analysis

ManticoraLoader is intended for the Windows platform starting from Windows 7 and further which includes Windows Server too, so it can be very well aimed at various computers.

There is a specific module in the system, which is responsible for gathering information from infected devices, which it transmits back to a centralized control panel. Here below we have mentioned the details it gathers:-

  • IP addresses
  • Usernames
  • System language
  • Installed antivirus software
  • UUIDs
  • Date-time stamps

This information helps the attackers to understand the victim, strategize the next attacks, and ensure that the seized system stays compromised.

It must be noted, that there is a modular aspect to this ManticoraLoader, in that any further features may be inducted on request, which enhances its adaptability to various malicious objectives.

TA’s post on the XSS forum (Source – Cyble)

Besides this, it includes advanced techniques of obfuscation in order to evade detection, which was reported to have a detection rate of 0/39 on Kleenscan.

The loader has the provision to place files in auto-start locations which helps in achieving persistence and is offered at a monthly rental fee of $500, with exclusivity only offered to 10 clients.

Sample of panel interface (Source – Cyble)

The deals are done through the forum’s escrow service or directly using Telegram or TOX.

According to the Report, The loader’s stealth is additionally illustrated with a video demonstrating that the 360 Total Security sandboxing solution is not able to detect it.

Apart from ManticoraLoader, the AresLoader is still actively being used by threat actors.

Threat actors behind AresLoader, DarkBLUP announced the new MaaS, ManticoraLoader possibly to further monetize their success. 

Despite their inactivity for over a year, the advertised features of ManticoraLoader appear similar to AresLoader. 

However, if their claims of improved features are true, this could pose a challenge in detecting stealer and botnet infections, as seen with AresLoader.

ManticoraLoader: New Loader Announced from the Developers of AresLoader

Download FreeIncident Response Plan Templatefor Your Security Team – Free Download

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...