ManticoraLoader: New Loader Announced from the Developers of AresLoader

2024-08-30 at 15:01

By rohansinhacyblecom

Cyble Research & Intelligence Labs (CRIL) has discovered the announcement of a new malware-as-a-service named ‘ManticoraLoader’ in the underground. The threat actors behind the group DeadXInject have been offering the service in underground forums and on their Telegram channel since August 8, 2024.

The same threat actors are behind the development of the infamous AresLoader and, as reported by CRIL, were observed to be targeting Citrix users in April 2023. Previously, researchers attributed the same threat group to the development of AiDLocker ransomware in late 2022.

Figure 1 – TA’s advertisement on the Telegram Channel.

In a detailed post under the alias ‘DarkBLUP‘—previously used to advertise AresLoader on the XSS forum—the threat actors outlined the functionalities, operational logic, and usage guidelines for ManticoraLoader, a C tool.

Features Advertised About ManticoraLoader

ManticoraLoader is reportedly compatible with Windows 7 and later versions, including Windows Server, allowing it to target a wide range of systems still in use today. One of its key features is a module designed to gather extensive information from infected devices, such as IP address, username, system language, installed antivirus software, UUID, and date-time stamps.

This information is then transmitted back to a centralized control panel, likely enabling threat actors to profile victims, tailor further attacks, and maintain control over compromised systems. The broad compatibility and detailed reconnaissance capabilities suggest that ManticoraLoader could be a versatile and potent tool in sophisticated cyber campaigns.

Figure 3 – Sample of the login interface of the panel provided by the TA.

The threat actors assert that ManticoraLoader can place files into auto-start locations, ensuring persistence on compromised systems. Its modular design allows for easy extension of functionalities upon request, making it adaptable to various malicious objectives. The loader claims to employ sophisticated obfuscation techniques to evade detection. The service is offered under strict terms, with a monthly rental fee of USD 500.

Figure 4 – Sample of panel interface published by the TA

The threat actors behind ManticoraLoader have established a transaction process that utilizes the forum’s escrow service or direct contact via Telegram or TOX, with a strict limit of 10 clients. This exclusivity may be intended to maintain control and reduce exposure.

The loader’s reported detection rate of 0/39 on Kleenscan highlights its stealth capabilities, likely due to sophisticated obfuscation methods. Additionally, the threat actors posted a video demonstration on their Telegram channel to prove the loader’s ability to bypass the 360 Total Security sandboxing solution.

Figure 5 – Loader analyzed by the TA with CFF Explorer.

Figure 6 – Sample of sandboxing detection bypass posted by the TA.

AresLoader’s Continued Relevance

Despite the launch of ManticoraLoader, CRIL observes that AresLoader is still being actively employed by threat actors.

Conclusion

The announcement of the ManticoraLoader as a new MaaS alongside the existing and in-use AresLoader by TA DarkBLUP maybe with the intention to further monetize their success with the latter. It is, however, unclear what led the TA to remain inactive for more than a year, especially with their back-to-back success with AiDLocker ransomware and AresLoader. Even the features advertised by ManticoraLoader, from their initial observation, appear to be almost identical to the older version. However, if the TA’s claims of launching this loader with improved and advanced features are correct, then this may pose a new challenge when it comes to the successful detection of stealer and botnet infections, as we observed in the AresLaoder campaigns.

The post ManticoraLoader: New Loader Announced from the Developers of AresLoader appeared first on Cyble.

React to this headline: