Executive Summary
AresLoader is a loader malware-as-a-service (MaaS) active in the wild since at least November 2022. AresLoader is designed to masquerade as legitimate software, while covertly downloading malicious payloads.
Key Takeaways
- AresLoader is a loader malware-as-a-service (MaaS) active in the wild since at least November 2022.
- AresLoader is designed to masquerade as legitimate software, while covertly downloading malicious payloads.
- The threat actors behind AresLoader are thought to be affiliated with a Russia nexus hacktivist group.
- AresLoader has been observed dropping multiple malware families, including StealC, SystemBC, LummaStealer, IcedID, Aurora Stealer, and Laplas Clipper.
What is AresLoader?
AresLoader is a loader malware-as-a-service (MaaS) active in the wild since at least November 2022. AresLoader is designed to masquerade as legitimate software, while covertly downloading malicious payloads. Intel471 previously reported on AresLoader.
AresLoader was first announced on Telegram in late 2022 by a user known as AiD Lock aka DarkBLUP. It is sold for $300 USD per month on various hacking forums. The threat actors behind AresLoader are thought to be affiliated with PHANTOM DEV, which has claimed to be affiliated with Red Hackers Alliance Russia.
AresLoader is written in C/C++ and was advertised as undetectable by Windows Defender. The monthly $300 USD fee gives a buyer five builds that are advertised as manually packed. The AresLoader panel offers an optional binder service, merging a legitimate file with the malicious loader. This allows AresLoader to masquerade as a legitimate file, such as an installer for popular software.
The binder writes a stub launcher that launches the legitimate executable then writes a batch file to disk and executes it with cmd.exe. The .bat file contains three PowerShell commands that perform the following tasks:
- Add C:\ to the Windows Defender exclusion paths.
- Fetch a malicious payload hosted at a remote URL.
- Fetch and launch a .bat file that uses rundll32.exe to execute the target payload.
On execution, AresLoader checks to see if it is running as administrator. If not, it attempts privilege escalation using the ShellExecuteA API and the runas command. To maintain persistence, AresLoader sets a scheduled task and adds a registry key.
AresLoader has been distributed in several campaigns, being dropped by other malware, such as SystemBC, Raccoon Stealer, and Amadey. AresLoader is also known to drop other malware or to be installed alongside other malware, including StealC, SystemBC, LummaStealer, IcedID, Aurora Stealer, and Laplas Clipper. Earlier this year, Cyble found evidence of a GitLab repository distributing AresLoader. The repository was masquerading as “citrixproject”, which is possibly indicative of the threat actors targeting Citrix users.
IOCs
PolySwarm has multiple samples of AresLoader, including a First Seen sample.
839cef8414117e4181cb87b998e90fb3dad81463f8c219966cb59147e2d7c2cb (First Seen)
7f53135e532f1799d5c77727e47bf8f25a0c1381e9684c9c9fb2d2d0cd0ab2e4
B280e418cc13c8f1efe66c8c5f4b83e0a544ddbb9d0c460e24d279b93a22c5b3
40003d01db9c34da73a415792dba3a617fab65e91d2aae7bbbcd335af198a66b
169c70fc77814578aa83b3a666eb674c49e60ac6964b040de9b1e51c5966bf56
7572b5b6b1f0ea8e857de568898cf97139c4e5237b835c61fea7d91a6f1155fb
F46b9aeafe296ebbad909e927fad26a21b05fbbc68cb446299c224fd27ea7fb0
812d4d9446b7962344e389b9498d08dabce1c9113bb18f554633da7e5992c4a3
5c5829697e65e815e41670a142a90251297f8cff94282837c09443b9c1ebad26
You can use the following CLI command to search for all AresLoader samples in our portal:
$ polyswarm link list -f AresLoader
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.
