Cyber security researchers have shed light on a new stealthy malware loader called BabbleLoader that has been spotted in the wild delivering families of information stealers such as WhiteSnake and Medusa.
BabbleLoader is “an extremely evasive bootloader packed with defense mechanisms that is designed to bypass antivirus and sandbox environments to deliver memory theft,” said Intezer security researcher Ryan Robinson said in a report published on Sunday.
Evidence shows that the downloader is being used by several companies targeting both English- and Russian-speaking people, primarily targeting users looking for general hacked software, as well as business professionals in finance and administration, mistaking it for accounting software. provision.
Bootloaders are an increasingly common method of delivering malware, such as hijackers or ransomware, which often act as the first stage in an attack chain in a way that bypasses traditional anti-virus defenses by incorporating a number of anti-scanning and sandboxing features.
This is evidenced by the constant flow of new loader families that have appeared in recent years. This includes but is not limited to Dolphin Loader, Emmental, FakeBatand Hijack bootloaderamong others, which have been used to distribute various payloads such as CryptBot, Lumma Stealer, SectopRAT, SmokeLoaderand Ursnif.
BabbleLoader stands out because it contains various evasion techniques that can fool both traditional and AI-based detection systems. This includes the use of malicious code and metamorphic transformations that change the structure and flow of the bootloader to circumvent signature- and behavior-based detection.
It also bypasses static analysis by resolving required functions only at runtime, and taking steps to prevent sandboxed analysis. Moreover, adding too much meaningless code with noise causes disassembly or decompilation tools like IDA, Ghidra, and Binary Ninja to fail, forcing manual analysis.
“Each bootloader build will have unique strings, unique metadata, unique code, unique hashes, unique encryption and unique control flow,” Robinson said. “Each sample is structurally unique with only a few pieces of code in common. Even the file metadata is randomized for each sample.”
“These constant changes in code structure force AI models to continually relearn what to pay attention to—a process that often leads to missed detections or false positives.”
The bootloader is essentially responsible for loading the shellcode, which then paves the way for the decrypted code, the Donut loader, which in turn unpacks and runs the hijacker malware.
“The better loaders can protect the final payloads, the fewer resources threat actors will need to expend to restore burned infrastructure,” Robinson concluded. “BabbleLoader takes steps to protect against as many forms of detection as possible in order to compete in the crowded bootloader/encryptor market.”
The development comes as Rapid7 has detailed a new malware campaign that is distributing the new version LodaRAT which is equipped to steal cookies and passwords from Microsoft Edge and Brave, in addition to collecting all kinds of sensitive data, delivering more malware, and providing remote control of compromised nodes. It was active since September 2016.
Cyber security company said he “noticed new versions of Donut loader and Cobalt Strike being distributed” and that he “observed LodaRAT on systems infected by other malware families such as AsyncRAT, Remcos, XWorm and others.” However, the exact relationship between these infections remains unclear.
This also follows from discovery Mr. Skeleton RATa new njRAT-based malware that has been touted by the cybercriminal underground as coming with functionality for “remote access and desktop operations, file/folder and registry manipulation, remote shell execution, keylogging, and remote control of camera devices.”
