Executive Summary
BunnyLoader is a recently discovered malware-as-a-service (MaaS) threat being sold on multiple forums. It was released in September 2023 and appears to be under active development, with feature updates and bug fixes available.
Key Takeaways
- BunnyLoader is a recently discovered malware-as-a-service (MaaS) threat being sold on multiple forums.
- BunnyLoader, which is written in C/C++, is a fileless loader that downloads and executes further malware stages in memory.
- BunnyLoader’s functionality includes the ability to download and execute additional payloads, steal browser credentials and system information, perform keylogging, remotely execute commands, and monitor the victim's clipboard.
- BunnyLoader was released in September 2023 and appears to be under active development, with feature updates and bug fixes available.
What is BunnyLoader?
BunnyLoader is a recently discovered malware-as-a-service (MaaS) threat being sold on multiple forums for $250 USD. A threat actor named PLAYER_BUNNY was observed advertising BunnyLoader. Zscaler reported on this malware.
BunnyLoader, which is written in C/C++, is a fileless loader that downloads and executes further malware stages in memory. BunnyLoader has a variety of capabilities, allowing threat actors to download and execute additional payloads, steal browser credentials and system information, perform keylogging, remotely execute commands, and monitor the victim's clipboard. Cryptocurrency wallets targeted by BunnyLoader include Armory, Exodus, AutomaticWallet, Bytecoin, Ethereum, Coinomi, Jaxx, Electrum, and Guarda. Stolen data is zipped and exfiltrated to the C2. BunnyLoader can also replace cryptocurrency wallet addresses on the victim’s clipboard with threat actor-controlled wallet addresses.
The BunnyLoader C2 panel allows threat actors to view statistics for infections, the total number of connected and disconnected clients, active tasks, and stealer logs. The C2 panel also allows threat actors to remotely control victim systems.
BunnyLoader was released in September 2023 and appears to be under active development, with feature updates and bug fixes available. Since the original malware was released, BunnyLoader has added many features, including but not limited to the ability to compress stealer logs before uploading, commands for the reverse shell, the ability to steal browser history, NGRok auth-token recovery stealer, Chromium browser paths, credit card recovery and support for 16 credit card types, antivirus evasion, anti-sandbox techniques, VPN recovery for ProtonVPN and OpenVPN, downloads history viewer, keylogger functionality, game recovery, C2 GUI changes, various optimization improvements, persistence, and the ability to inject payloads into memory for x86/x64 architecture.
IOCs
PolySwarm has multiple samples of BunnyLoader.
454bd68088f17718527b300134cae3eed1c7db3ba7ed9e08d291ef7729229a79
90e6ebc879283382d8b62679351ee7e1aaf7e79c23dd1e462e840838feaa5e69
9b8efc369c7ff541f885c605c462c7d5a16acfbdfef3b28adc4e5418e890142f
You can use the following CLI command to search for all BunnyLoader samples in our portal:
$ polyswarm link list -f BunnyLoader
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.