New ManticoraLoader Malware Attacking Citrix Users To Steal Data


DeadXInject, the group behind AresLoader and AiDLocker ransomware, is offering a new Malware-as-a-Service (MaaS) called ManticoraLoader. 

Advertised on underground forums and Telegram since August 8th, 2024, ManticoraLoader is a C-based tool designed to target Windows systems (including servers) and steal information like IP addresses, usernames, and installed antivirus software. 

EHA

It expands capabilities beyond ransomware and Citrix exploits, offering a versatile tool for broader cybercriminal operations. 

TA’s post on the XSS forum.

ManticoraLoader is a malware capable of infecting Windows systems from Windows 7 onwards, including Windows Server, by collecting comprehensive information from infected devices, such as IP address, username, system language, antivirus software, UUID, and timestamps. 

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial

The data is then sent to a central control panel, allowing attackers to profile victims, customize subsequent attacks, and maintain control over compromised systems, while malware’s wide compatibility and data collection capabilities make it a potent tool for sophisticated cyberattacks.

Sample of the login interface of the panel provided by the TA.

It is designed to gain persistent access to compromised systems and by placing files in auto-start locations, it ensures that it will automatically run when the system starts. 

Its modular structure enables it to be easily adapted for various malicious purposes. To avoid detection, the loader uses advanced techniques to disguise its code and it is available as a rental service for a monthly fee of USD 500 with strict terms and conditions.

The ManticoraLoader threat actors have implemented a restricted client model using escrow or direct contact to maintain control and reduce exposure. 

The loader’s evasion techniques, as evidenced by its zero detections on Kleenscan and ability to bypass 360 Total Security sandboxing, suggest sophisticated obfuscation and anti-detection capabilities, which aim to ensure the loader’s effectiveness and minimize the risk of detection.

Sample of sandboxing detection bypass posted by the TA.

VirusTotal findings indicate that AresLoader remains a prevalent threat despite the emergence of ManticoraLoader, which suggests that AresLoader’s capabilities, such as its ability to bypass security measures and execute malicious payloads, make it a valuable tool for threat actors. 

According to Cyble, the persistence of AresLoader highlights the ongoing need for robust security measures to combat this and other sophisticated malware threats.

 VT findings

TA DarkBLUP, known for its successful AresLoader MaaS, has recently announced a new loader called ManticoraLoader.

While the intent behind this launch seems to be for further monetization, the reasons for the TA’s prolonged inactivity remain unclear. 

Despite the similarities between the two loaders, the TA claims that ManticoraLoader offers improved and advanced features, which raises concerns about the potential challenges in detecting stealer and botnet infections, similar to the issues observed with AresLoader campaigns.

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!



Source link