Brad Freeman
21/11/2023
This blog was written by Lachlan Godding, SenseOn Security Analyst.
SenseOn has recently obtained and analysed several samples of an emerging malware-as-a-service threat named “BunnyLoader”, which is rapidly becoming attractive to low-level threat actors since its inception on September 4th 2023, due to a combination of its low price, rapid development and well-equipped, user-friendly command and control (C2) panel (see Appendix).
The novel malware, which is accompanied by several anti-analysis methods, boasts a large range of features including stealing and modifying victim clipboards, keylogging capabilities, downloading and executing payloads, executing remote commands and stealing sensitive data – including passwords and cryptocurrency wallets.
While the malware made its first appearance in forums on September 4th, further investigation indicates that threat actor activity such as development, support and establishing a community has been ongoing since at least July 30th. The developers have been consistently pushing updates to BunnyLoader every few days which include new features, bug fixes and additional evasion techniques.
One of the recent versions of the malware, BunnyLoader v2.8, added RDP credential stealing functionality, in addition to improved anti-virus evasion and keylogging capabilities.
This rapid addition of new features, the low lifetime price of $250, in addition to the advertised ability to evade detection by anti-virus and sandbox/virtual machine environments makes BunnyLoader a very attractive new tool in the arsenal of threat actors. SenseOn believes this will continue to become increasingly popular among low-level threat actors in particular, who may not have access to the resources or funds required for more expensive frameworks, or the technical sophistication usually observed in more advanced threats.
Figure 4. Advertised scan output showing BunnyLoader anti-virus evasion
BunnyLoader
While the specific delivery mechanism of the BunnyLoader will vary depending upon the threat actor behind an attack, likely initial access methods can be determined through cross-examination with other similar malware. These commonly include phishing, watering hole attacks or delivering the malware hidden in cracked software.
In this case, the suspicious executable, labelled ‘2nd.exe’, is found on the victims desktop. The small file size of 612KB indicates that the file may be packed in some form. Despite the advertised anti-virus evasion capabilities, loading the sample onto a device monitored by the SenseOn Universal Sensor results in the generation of a high priority case due to detection of the malicious binary by the SenseOn anti-malware component.
Disabling this feature for the purposes of further analysis, and loading the binary into Detect It Easy (DIE), the file is flagged as having been packed with the UPX packer. In addition to this, the file is flagged as being compiled by Microsoft Visual studio in C/C++.
Fortunately, the file can easily be unpacked by utilising the same UPX tool used to originally pack the file.
The first two bytes, “4D 5A”, of the suspect file correspond to the “MZ” header, indicating that the file is indeed a Portable Executable (PE) file.
By further analysing the file in PEStudio, several suspicious imports become apparent:
- Clipboard interactions – SetClipboardData and GetClipboardData. These may be abused to steal sensitive information in the victims clipboard such as passwords copied from a vault or password manager
- Network connections – HttpOpenRequestW, InternetReadFile, InternetConnectW and InternetCrackUrlW. Malware could use these to download further malicious packages, read network traffic and initiate connections to C2
- Sleep – This import can be used to force malicious applications to sleep before executing or in-between malicious actions which can hamper analysis efforts and evade detection by sandbox environments
- IsDebuggerPresent – As the name suggests, malware authors may use this import to detect analysis in a debugging environment and alter the execution path to hinder analysis
- System information gathering – the GetSystemInfo, GetComputerNameA, GetDiskFreeSpaceA and GetStartupInfoW imports can potentially be abused to check the victim system for signs of an analysis environment. This can include specific operating systems, minimal hardware allocations typically associated with virtual machines, device or user names corresponding to malware analysis (sandbox, malware, etc) and can cause the malware to follow an alternate execution path, similar to the IsDebuggerPresent import scenario
- RegSetValueExW – This import can modify the Windows registry and is often abused to add values to the Runkeys, providing persistence and automating malware execution upon startup
- NtWriteVirtualMemory and NtReadVirtualMemory – Malware authors may leverage these imports to inject malicious code into, and steal data from, running processes on a victim machine
Similarly, several suspicious strings are present in the BunnyLoader executable:
- Bitcoin, Ethereum, Dogecoin, Monero, Exodus – This indicates some interaction by the application with cryptocurrency, this could be stealing wallets or sending funds to an attacker-controlled address.
- BunnyLoader – An obvious reference to the malware in question.
- Sqlite – This could potentially indicate theft or modification of browser cookies, which are often stored in the form of SQLite databases.
- Mastercard – This may be indicative of an attempt by the malware author to harvest credit card information.
- ProtonVPN, OpenVPN – This is likely evidence that the malware searches for and harvests account information for VPN software.
- Run keylogger, Run stealer – These are likely commands that can be issued by an attacker to run specific tasks on the victim machine to steal sensitive information.
- SQL queries – the binary contains several suspicious SQL queries which appear to be either harvesting financial information or enumerating the target system hardware, possibly for evidence of a virtual machine.
- Sandbox, VirtualBox – This is likely a component of a sandbox check used by the malware to impede analysis and detection.
- Several URLs referencing 37[.]139[.]129[.]145 – Possible C2 reference from which additional payloads are retrieved and to which stolen information is exfiltrated.
Executing the suspicious binary on the infected machine, we are presented with an unusual error dialogue box indicating the file version is incompatible with the current version of Windows.
Taking into consideration the prior static analysis and the fact that this was executed on a virtual machine monitored by the SenseOn agent, there is a possibility that this is the actions of anti-analysis techniques employed by the malware author, warranting further investigation. Also worth noting in this execution is the lack of any error-reporting processes spawned as a result of running this binary, which increases the likelihood that the returned error is not genuine.
Disassembling the executable in Ghidra and searching for a reference to the suspect error message, we can find the execution block returning the dialogue box.
After tracing this to the code block invoking this dialogue box, there is a conditional check that splits the program execution path based on the results of a function call. This is the suspected check for a virtual environment.
To bypass this attempt to evade analysis, the jz (jump if zero) check can simply be altered to a jnz (jump if not zero) check, effectively forcing the application to follow the opposite execution path that was originally intended by the author. To do this, we must find the hexadecimal value of the jz instruction before altering it in a hex editor.
In this case, this is a change of the ‘74 34’ value to ‘75 34’
Executing the patched binary, the error dialogue box is no longer presented. The telemetry captured by the SenseOn agent additionally shows some child processes created by the malware, leveraging an instance of cmd.exe to enumerate the victim operating system and anti-virus.
This basic enumeration activity is detected by SenseOn, generating a security observation as a result.
The process also initiates HTTP connections to ‘ip-api[.]com’ and ‘api.ipify[.]org’, exposing the infected device’s IP address and location. Interestingly, these requests utilise the suspicious ‘BunnyRequester’ user agent.
These unusual requests by the malware are also detected by SenseOn, correlating with the observed enumeration commands to construct a profile of related suspicious behaviours.
BunnyLoader subsequently establishes persistence by adding a ‘Spyware_Blocker’ startup item, corresponding to the malicious executable, into the registry runkey of the infected device.
A single, seemingly unsuccessful connection to the suspected C2 IP address ‘37[.]139[.]129[.]145’ is also detected. This may indicate additional anti-analysis checks employed by the malware based on the network and hardware checks performed upon initial execution.
To verify this, we disabled and removed any anti-virus software on the device, before installing and using a VPN to obscure the IP information of the virtual machine. Seeing as ProtonVPN was referenced multiple times during static analysis, we used this VPN to also observe any interactions with the malware.
Running the malware another time, and capturing traffic from the VPN interface in Wireshark, more connection attempts to the C2 IP under the URLs derived from strings analysis are made. Several additional suspicious user agents are present in these requests, which appear to have a few main functions:
- Heartbeat_Sender – Based on the name, this is likely being used as a form of health check between the malware and C2
- BunnyShell – This appears to be reporting information from the infected machine to the malicious IP
- BunnyTasks – This references a BotID and is likely used by the C2 interface to issue malicious tasks to be executed on the victim device
Despite this, the suspect IP closes the connection with a HTTP reset ‘RST’ flag and the malware ceases execution.
Opening the malware again in Ghidra and setting various breakpoints to follow the execution path, we see the malware terminate after a particular conditional check.
This appears to be checking if the previously observed C2 connection attempt returns a ‘Connected’ message. This can be bypassed in a similar fashion to the dialogue box.
Executing the patched binary once again, even more connections to the C2 IP are detected, with multiple requests observed per minute.
These correspond with empty cmd.exe instances, spawned by the malware, which would likely be populated with malicious commands if issued by the attacker from the C2 interface.
Running netstat on the device to search for listening processes, two IPs, corresponding to the BunnyLoader C2 server and an Amazon EC2 instance not associated with malicious activity are observed by the malicious process.
Following execution, SenseOn did not observe any specific malicious instructions received by BunnyLoader from the external C2 server. Despite this, based on prior analysis of both the malware and available intelligence, we can conclude that, if fully leveraged by a threat actor, BunnyLoader is capable of:
- Arbitrary command execution
- Downloading and executing additional payloads
- keylogging
- clipboard harvesting and manipulation
- theft and manipulation of cryptocurrency wallets, chromium data and messages
- browser cookies including auto-fill passwords
- RDP credential theft
- VPN credential harvesting
- Effectively evading detection by many common AV and sandbox solutions
Indicators of Compromise (IOCs)
Network IOCs:
- 37[.]139[.]129[.]145
- 185[.]241[.]208[.]83
- ip-api[.]com
- Api[.]ipify[.]org
MD5 Hash IOCs:
- a54b2fee7158d9b32a0ebefe54a214b0
- 59ac3eacd67228850d5478fd3f18df78
- bf26e63e49bc72b08e52d37fbe873d9e
- dbf727e1effc3631ae634d95a0d88vf3
Detections
YARA
rule BunnyLoader {
meta:
description = "Detects BunnyLoader samples using common strings"
author = "Lachlan Godding"
strings:
$a1 = "BunnyLoader" ascii fullword
$b1 = "Bitcoin" ascii fullword
$b2 = "Sandbox" ascii fullword
$b3 = "Keylogger" ascii fullword
$b4 = "stealer" ascii fullword
$b5 = "Sqlite" ascii fullword
$b6 = "SetClipboardData" ascii fullword
$b7 = "GetClipboardData" ascii fullword
$b8 = "RegSetValueExW" ascii fullword
$b8 = "RegSetValueExW" ascii fullword
condition:
uint16(0) == 0x5a4d #PE
and $a1
and 4 of ($b*)
}
Snort
alert tcp any any -> any any (msg:"HTTP Request with Suspicious User-Agent"; flow:to_server,established; content:"User-Agent|3a|"; nocase; pcre:"/BunnyTasks|BunnyShell|heartbeat_sender|BunnyRequester|BunnyLoader/i"; sid:1000001; rev:1;)
Appendix – C2 Panel
