In hunters threatens there shed light on “complex and developing instrumental set of malware” called Ragnar loader This is used by different groups of cybercrime and ransomware such as Ragnar Locker (AKA Monstrous Mantis), Fin7, Fin8 and Wukless Mantis (Ex-Revil).
“Ragnar Loader plays a key role in maintaining access to compromised systems, helping the attackers to stay on networks for long-term operations,” said the Swiss Cybersecurity company Prodavft in a statement shared with Hacker News.
“Although this is due to the Ragnar Locker group, it is unclear whether they have them or just rent it to others. What we know is what its developers constantly add new features, making it more modular and more difficult to detect.”
Ragnar loader, its also called sardonic First documented Bitdefender in August 2021, due to an unsuccessful Fin8 attack aimed at an unnamed financial institution located in the US, it was said to have been used since 2020.
Then in July 2023, Symantec owned by Broadcom disclosed Using the updated Backdoor version for delivery already non -existent Blackcat ransomware.
The main functionality of the Ragnar loader is its ability to create long -term securing in the target conditions, using the arsenal of methods to detect the parties and ensure prompt stability.
“Malicious software uses useful PowerShell-based load, includes strong encryption and coding methods (including RC4 and Base64) to hide their activities and use sophisticated injection strategies to establish and maintain restrained control systems,”-said.
“These features collectively enhance its ability to evade detection and persist in targeted conditions.”
Malicious software is offered by the affiliates in the form of an archive file package, which contains several components to facilitate the return shell, escalation of the local privilege and remote access to the desktop. It is also intended to establish a threat actor, allowing them to remotely control the infected system through the team and control panel (C2).
Usually executed in the victim systems using PowerShell, Ragnar Loader combines anti -nalizing methods to resist the detection and will of the flow control logic.
In addition, it has the ability to carry out various operations with the back, launching the Dll and Shellcode plugins, as well as reading and expressive content of arbitrary files. To enable lateral traffic on the network, it uses another PowerShell -based turn file.
Another important component is the executable Elf Linux file called BC, which is designed to facilitate distant connections, allowing the enemy to run and follow the command line instructions directly in the compromised system.
“It uses improved methods of building, encryption and anti-narlysis, including useful loads based on PowerShell, RC4 and Base64, which disposed of, dynamic processes, token manipulation and side motion capabilities,” said Prodaft. “These signs show an increase in the complexity and adaptation of modern ransom ecosystems.”
