Amsterdam, Nov. 3, 2023 - Zscaler ThreatLabz has discovered a new Malware-as-a-Service (MaaS) threat called "BunnyLoader. BunnyLoader offers various functionalities, such as downloading and executing a second-stage payload, stealing browser data and system information. It also uses a keylogger to record keystrokes and a clipper to monitor a victim's clipboard and replace cryptocurrency wallet addresses with wallets managed by cybercriminals. Once the information is obtained, BunnyLoader puts the data into a ZIP archive that is sent to a command-and-control (C2) server.
- ThreatLabz has identified a new malware loader written in C/C++ called BunnyLoader, which is being sold on various forums for $250.
- BunnyLoader is evolving rapidly with multiple updates and bug fixes.
- BunnyLoader uses several anti-sandbox techniques during its attack sequence.
- BunnyLoader downloads and executes a second-stage payload, registers keys, steals sensitive information and cryptocurrency, and executes remote commands.
BunnyLoader is sold on various forums by a user named "PLAYER_BUNNY"/"PLAYER_BL," who appears to be one of the loader's developers, as shown in the image below.
Figure 1: BunnyLoader advertisement on criminal forum
This malware loader steals the following from web browsers: autofill data, credit card information, downloads, history and passwords. In addition, it steals credentials from ProtonVPN and OpenVPN and the following messaging applications: Skype, Tox, Signal, Element and ICQ. Cryptocurrency wallets are not left out either. BunnyLoader sets its sights on all major crypto currencies, including Bitcoin, Monero, Ethereum, Litecoin, Dogecoin, ZCash and Tether.
Since the initial release of BunnyLoader v1.0, the malware has evolved rapidly, releasing many updates and bug fixes. It is a new MaaS threat that is constantly evolving and adding new features to execute successful campaigns against targets. The Zscaler ThreatLabz team will continue to monitor these attacks.
Read a full technical analysis of how BunnyLoader operates here.