New BunnyLoader Malware Variant Surfaces with Modular Attack Features
20.3.24  Virus  The Hacker News

Cybersecurity researchers have discovered an updated variant of a stealer and malware loader called BunnyLoader that modularizes its various functions as well as allow it to evade detection.

"BunnyLoader is dynamically developing malware with the capability to steal information, credentials and cryptocurrency, as well as deliver additional malware to its victims," Palo Alto Networks Unit 42 said in a report published last week.

The new version, dubbed BunnyLoader 3.0, was announced by its developer named Player (or Player_Bunny) on February 11, 2024, with rewritten modules for data theft, reduced payload size, and enhanced keylogging capabilities.

BunnyLoader was first documented by Zscaler ThreatLabz in September 2023, describing it as malware-as-a-service (MaaS) designed to harvest credentials and facilitate cryptocurrency theft. It was initially offered on a subscription basis for $250 per month.

The malware has since undergone frequent updates that are aimed at evading antivirus defenses as well as expanding on its data gathering functions, with BunnyLoader 2.0 released by the end of the same month.

The third generation of BunnyLoader goes a step further by not only incorporating new denial-of-service (DoS) features to mount HTTP flood attacks against a target URL, but also splitting its stealer, clipper, keylogger, and DoS modules into distinct binaries.

"Operators of BunnyLoader can choose to deploy these modules or use BunnyLoader's built-in commands to load their choice of malware," Unit 42 explained.

Infection chains delivering BunnyLoader have also become progressively more sophisticated, leveraging a previously undocumented dropper to loader PureCrypter, which then forks into two separate branches.

While one branch launches the PureLogs loader to ultimately deliver the PureLogs stealer, the second attack sequence drops BunnyLoader to distribute another stealer malware called Meduza.


"In the ever changing landscape of MaaS, BunnyLoader continues to evolve, demonstrating the need for threat actors to frequently retool to evade detection," Unit 42 researchers said.

The development comes amid the continued use of SmokeLoader malware (aka Dofoil or Sharik) by a suspected Russian cybercrime crew called UAC-006 to target the Ukrainian government and financial entities. It's known to be active since 2011.

As many as 23 phishing attack waves delivering SmokeLoader were recorded between May and November 2023, according to an exhaustive report published by Ukraine's State Cyber Protection Center (SCPC).

"Primarily a loader with added information-stealing capabilities, SmokeLoader has been linked to Russian cybercrime operations and is readily available on Russian cybercrime forums," Unit 42 said.

Adding to BunnyLoader and SmokeLoader are two new information stealer malware codenamed Nikki Stealer and GlorySprout, the latter of which is developed in C++ and offered for $300 for a lifetime access. According to RussianPanda, the stealer is a clone of Taurus Stealer.

"A notable difference is that GlorySprout, unlike Taurus Stealer, does not download additional DLL dependencies from C2 servers," the researcher said. "Additionally, GlorySprout lacks the Anti-VM feature that is present in Taurus Stealer."

The findings also follow the discovery of a new variant of WhiteSnake Stealer that allows for the theft of critical sensitive data from compromised systems. "This new version has removed the string decryption code and made the code easy to understand," SonicWall said.