Insights, news, education and announcements from PolySwarm

BabbleLoader

Written by The Hivemind | Nov 29, 2024 5:54:44 PM

Related Families: WhiteSnake, Meduza
Verticals Targeted: Finance, Business Administration

Executive Summary

BabbleLoader is a new stealthy, metamorphic loader that was recently observed delivering stealers, including WhiteSnake and Meduza.

Key Takeaways

  • BabbleLoader is a new stealthy, metamorphic loader that was recently observed delivering stealers, including WhiteSnake and Meduza. 
  • Its defensive mechanisms allow BabbleLoader to evade detection and identify sandbox environments. 
  • Each BabbleLoader build uses unique strings, metadata, hashes, code, encryption, and control flow. 
  • BabbleLoader uses a variety of junk code designed to crash disassembly and decompilation tools, forcing malware researchers to use manual analysis techniques. 

What is BabbleLoader?

BabbleLoader is a new stealthy, metamorphic loader that was recently observed delivering stealers, including WhiteSnake and Meduza. BabbleLoader has been observed targeting English and Russian speaking users. Targets have included users downloading cracked software and administrative and financial professionals. Intezer reported on BabbleLoader. PolySwarm analysts consider BabbleLoader to be an emerging threat. 

BabbleLoader is a new loader family that is extremely evasive. It employs advanced defensive mechanisms, allowing it to evade both traditional and AI-based antivirus detection, as well as sandbox environments. It uses a Donut loader to execute stealers in memory, making it more difficult to detect. Each BabbleLoader build uses unique strings, metadata, hashes, code, encryption, and control flow. This makes each sample unique, with only a small portion of shared code. 

BabbleLoader uses dynamic API resolution, allowing it to sidestep API monitoring. In an attempt to thwart static analysis, BabbleLoader only resolves necessary functions at runtime. It also uses a variety of junk code designed to crash disassembly and decompilation tools like IDA, Ghidra, and Binary Ninja. This forces malware researchers to use manual analysis techniques. Some of the junk code is created using random imports with randomly generated hardcoded strings. BabbleLoader’s use of junk code is particularly effective in confusing AI-based analysis techniques. 

IOCs

PolySwarm has multiple samples of BabbleLoader.

 

114b868f319162c5d6ff92796e41910f54de0e89f895a066fd4980c6dba2e323

237812322bbbcf47feeb79b8e91b97d00453ffd5deb52c819c183b45d18b0b5a

2a8a340fc9c395fe23211ac95d124b64452d49c67b069f53aaf3dbe16e95791d

2eab850166944175e5fac4c89706328a58dcef55dbc22ff20342d1d246ba76b9

2ee32c46207119f6851f2869203124c104c72cfdf9622416252ae3405f485cd2

33e42e7828cda7987d17342e0eb8134f590cd3d291dbc75f13334259a4908ba1

478eb22a1f1be2ef6e70625cf42ca61c716389135acbb705c0e21f0cf330bf46

5b9481d9022b0efcaed04513d338048de4aa3e1328bacc0966486ef322c0d086

5eb3bb67656d990ceec07f55c78dcd8032a7cf00ac919a399e3642b177f68381

78f6c822cee2b0587df145d67478cce5bbeb76147a7846d08b7b6fd09aa36ce2

8907a8454ef56d64bf788b9c8c64bbaaf187be7a9666d8d8331fd187c49c6031

8e63b1f7f8e29b9a714f796e2e8ca0cd1094086e2d0a5de21601e23e1792a906

9bf7a01254fed809e0f564f28a3cf54156ea98f85d3b633ae3a213a87f9db143

a01ac4244102e3958296c70d71e3d951f11abcc355458d1918d081587b151d90

a08db4c7b7bacc2bacd1e9a0ac7fbb91306bf83c279582f5ac3570a90e8b0f87

a695cb493631962a4c2fd61a094cb0b952ce708a99af714772cddd4991f32df0

b14af38c4230de20c7c4fefc1e3c5fffb1562bacedfebc56a508f55182a6fe88

b1ebe1794e091fd82a34d6806f18f64ebadb5d3b2343a661c481fb7c54cb872f

c2a95f22cfee1f4df67a424e30425b59c23db265bff611f2ee653d71b30a70d8

cd3f064d088a3a6a6ad03da148701fb6b660866b8aac2a808359505620166641

d9cea34db0d1dc016dd4007d8cd11416f095c41b0639f13af1eb6ad675651df2

e13f20752f6298728ac0463a3f4b0657d5657ca7710e63a27ac1179078ac71f6

 

You can use the following CLI command to search for all BabbleLoader samples in our portal:

$ polyswarm link list -f BabbleLoader

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.