Executive Summary
BunnyLoader malware as a service (MaaS) released its latest variant, BunnyLoader 3.0, in February. BunnyLoader 3.0 boasts multiple improvements, including a reduced payload size, keylogging capabilities, and a modular structure.
Key Takeaways
- BunnyLoader is a malware-as-a-service (MaaS) threat that was first released in 2023.
- BunnyLoader has been under active development, and BunnyLoader 3.0 was released in February 2024.
- BunnyLoader 3.0 boasts multiple improvements, including a reduced payload size, keylogging capabilities, and a modular structure.
What is BunnyLoader 3.0?
BunnyLoader is a malware-as-a-service (MaaS) threat being sold on multiple forums. It was first released in September 2023 and has been under active development. Palo Alto’s Unit 42 recently reported on the newest BunnyLoader variant, BunnyLoader 3.0.
BunnyLoader, which is written in C/C++, is a fileless loader that downloads and executes further malware stages in memory. BunnyLoader has a variety of capabilities, allowing threat actors to download and execute additional payloads, steal browser credentials and system information, perform keylogging, remotely execute commands, and monitor the victim's clipboard. BunnyLoader can also replace cryptocurrency wallet addresses on the victim’s clipboard with threat actor-controlled wallet addresses.
The BunnyLoader C2 panel allows threat actors to view statistics for infections, the total number of connected and disconnected clients, active tasks, and stealer logs. The C2 panel also allows threat actors to remotely control victim systems.
Previous BunnyLoader variants added many features, including but not limited to the ability to compress stealer logs before uploading, commands for reverse shell, the ability to steal browser history, NGRok auth-token recovery stealer, Chromium browser paths, credit card recovery, and support for 16 credit card types, antivirus evasion, anti-sandbox techniques, VPN recovery for ProtonVPN and OpenVPN, downloads history viewer, keylogger functionality, game recovery, C2 GUI changes, various optimization improvements, persistence, and the ability to inject payloads into memory for x86/x64 architecture.
BunnyLoader 3.0, which was announced in February 2024, was advertised to be “completely redesigned and enhanced by 90%.” The threat actor behind BunnyLoader 3.0 stated that payload enhancements include payloads and modules that were rewritten for improved performance, a reduced payload size, and the addition of advanced keylogging capabilities.
Unit 42 researchers noted BunnyLoader 3.0 also includes updates to the C2 communication protocol and changes to make the binary modular. BunnyLoader 3.0 has multiple modules, including a keylogger module, a stealer module, a clipper module, and a denial of service (DoS) module.
The keylogger module records keystrokes and tries to identify when the victim authenticates to a sensitive application or service, then logs those keystrokes. The stealer module is capable of autonomous operation. It steals credentials and data and exfiltrates them to the C2. The clipper module identifies cryptocurrency wallet addresses on the victim’s clipboard and replaces the intended recipient address with a threat actor-controlled wallet address. The DoS module can be used to perform a GET or POST HTTP flood against a target URL.
IOCs
PolySwarm has multiple samples associated with this activity.
3a64f44275b6ff41912654ae1a4af1d9c629f94b8062be441902aeff2d38af3e
0f425950ceaed6578b2ad22b7baea7d5fe4fd550a97af501bca87d9eb551b825
74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994
1a5ad9ae7b0dcdc2edb7e93556f2c59c84f113879df380d95835fb8ea3914ed8
You can use the following CLI command to search for all BunnyLoader samples in our portal:
$ polyswarm link list -f BunnyLoader
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.
