Saturday, September 7, 2024
HomeCyber Security NewsNew ManticoraLoader - Malware Attacking Citrix Users To Steal Data

New ManticoraLoader – Malware Attacking Citrix Users To Steal Data

Published on

Cyble Research & Intelligence Labs has recently found information about a new type of malware-as-a-service (MaaS) called ‘ManticoraLoader’ in some underground forums.

Since August 8, 2024, on forums and Telegram, this MaaS service has been offered by the threat group “DeadXInject.”

Advertisement on the Telegram (Source – Cyble)

These actors were also behind the development of the “AresLoader” malware and went after Citrix users back in April 2023. Besides this, they are also connected to the “AiDLocker” ransomware from late 2022.

- Advertisement - EHA

ManticoraLoader is a C-based malware and researchers identified that it has been actively attacking Citrix users to steal data.

Technical Analysis

ManticoraLoader is intended for the Windows platform starting from Windows 7 and further which includes Windows Server too, so it can be very well aimed at various computers.

There is a specific module in the system, which is responsible for gathering information from infected devices, which it transmits back to a centralized control panel. Here below we have mentioned the details it gathers:-

  • IP addresses
  • Usernames
  • System language
  • Installed antivirus software
  • UUIDs
  • Date-time stamps

This information helps the attackers to understand the victim, strategize the next attacks, and ensure that the seized system stays compromised.

It must be noted, that there is a modular aspect to this ManticoraLoader, in that any further features may be inducted on request, which enhances its adaptability to various malicious objectives.

TA’s post on the XSS forum (Source – Cyble)

Besides this, it includes advanced techniques of obfuscation in order to evade detection, which was reported to have a detection rate of 0/39 on Kleenscan.

The loader has the provision to place files in auto-start locations which helps in achieving persistence and is offered at a monthly rental fee of $500, with exclusivity only offered to 10 clients.

Sample of panel interface (Source – Cyble)

The deals are done through the forum’s escrow service or directly using Telegram or TOX.

According to the Report, The loader’s stealth is additionally illustrated with a video demonstrating that the 360 Total Security sandboxing solution is not able to detect it.

Apart from ManticoraLoader, the AresLoader is still actively being used by threat actors.

Threat actors behind AresLoader, DarkBLUP announced the new MaaS, ManticoraLoader possibly to further monetize their success. 

Despite their inactivity for over a year, the advertised features of ManticoraLoader appear similar to AresLoader. 

However, if their claims of improved features are true, this could pose a challenge in detecting stealer and botnet infections, as seen with AresLoader.

ManticoraLoader: New Loader Announced from the Developers of AresLoader

Download FreeIncident Response Plan Templatefor Your Security Team – Free Download

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...

NoiseAttack is a Novel Backdoor That Uses Power Spectral Density For Evasion

NoiseAttack is a new method of secretly attacking deep learning models. It uses triggers...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...