New ManticoraLoader – Malware Attacking Citrix Users To Steal Data

Cyble Research & Intelligence Labs has recently found information about a new type of malware-as-a-service (MaaS) called ‘ManticoraLoader’ in some underground forums.

Since August 8, 2024, on forums and Telegram, this MaaS service has been offered by the threat group “DeadXInject.”

These actors were also behind the development of the “AresLoader” malware and went after Citrix users back in April 2023. Besides this, they are also connected to the “AiDLocker” ransomware from late 2022.

ManticoraLoader is a C-based malware and researchers identified that it has been actively attacking Citrix users to steal data.

Technical Analysis

ManticoraLoader is intended for the Windows platform starting from Windows 7 and further which includes Windows Server too, so it can be very well aimed at various computers.

There is a specific module in the system, which is responsible for gathering information from infected devices, which it transmits back to a centralized control panel. Here below we have mentioned the details it gathers:-

• IP addresses
• Usernames
• System language
• Installed antivirus software
• UUIDs
• Date-time stamps

This information helps the attackers to understand the victim, strategize the next attacks, and ensure that the seized system stays compromised.

It must be noted, that there is a modular aspect to this ManticoraLoader, in that any further features may be inducted on request, which enhances its adaptability to various malicious objectives.

Besides this, it includes advanced techniques of obfuscation in order to evade detection, which was reported to have a detection rate of 0/39 on Kleenscan.

The loader has the provision to place files in auto-start locations which helps in achieving persistence and is offered at a monthly rental fee of $500, with exclusivity only offered to 10 clients.

The deals are done through the forum’s escrow service or directly using Telegram or TOX.

According to the Report, The loader’s stealth is additionally illustrated with a video demonstrating that the 360 Total Security sandboxing solution is not able to detect it.

Apart from ManticoraLoader, the AresLoader is still actively being used by threat actors.

Threat actors behind AresLoader, DarkBLUP announced the new MaaS, ManticoraLoader possibly to further monetize their success. 

Despite their inactivity for over a year, the advertised features of ManticoraLoader appear similar to AresLoader. 

However, if their claims of improved features are true, this could pose a challenge in detecting stealer and botnet infections, as seen with AresLoader.

Download FreeIncident Response Plan Templatefor Your Security Team – Free Download