ManticoraLoader, a new malware-as-a-service (MaaS), was observed on the cybercriminal XSS forum being distributed by ‘DarkBLUP,’ an alias that was previously used to distribute malware from the DeadXInject group such as the still-active AresLoader malware and the AiDLocker ransomware.
The new malware variant has been offered by DeadXInject on its Telegram channel since around August 8, 2024.
ManticoraLoader Employs Stealth and Obfuscation
ManticoraLoader boasts an impressive array of features that make it a versatile and potent tool for cybercriminal operations. Researchers from CRIL (Cyble Research and Intelligence Labs) indicated that the malware is compatible with Windows 7 and later versions, including Windows Server, allowing it to target a wide range of systems still in use today.
One of its key features is a module designed to gather extensive information from infected devices, including IP address, username, system language, installed antivirus software, UUID, and date-time stamps. This detailed reconnaissance data is then transmitted back to a centralized control panel, enabling the threat actors to profile victims and tailor their attacks accordingly.
The loader’s modular design allows for easy extension of functionalities upon request, making it adaptable to various malicious objectives. ManticoraLoader also employs sophisticated obfuscation techniques to evade detection, with a reported detection rate of 0/39 on Kleenscan.
To further demonstrate its evasive capabilities, the actors posted a video showcasing the loader’s ability to bypass the 360 Total Security sandboxing solution.
The threat actors have also designed ManticoraLoader with persistence in mind, as it can reportedly place files into auto-start locations, ensuring its continued presence on compromised systems. This modular design also allows for easy expansion of functionalities, making the loader adaptable to various malicious objectives.
The threat actors behind ManticoraLoader have implemented a strict transaction process, limiting the number of clients to 10 and offering the service through the forum’s escrow service or direct contact via Telegram or TOX. This exclusivity may be a strategic move to maintain control and reduce exposure.
The service is offered for a monthly rental fee of $500, indicating the threat actors’ intention to monetize their creation. This pricing model suggests that ManticoraLoader is not merely a one-off tool, but rather a carefully crafted MaaS designed to generate a steady stream of revenue for the cybercriminals.
AresLoader Persists
The researchers, however, are unclear why the threat actor DarkBLUP remained inactive for more than a year after their success with the AiDLocker ransomware and AresLoader. As AresLoader remains still widely in use among cybercriminals, the researchers suggest that the group is not abandoning its previous project but rather expanding their arsenal to diversify their malicious offerings and expand monetization.