BunnyLoader is a rapidly evolving malware written in C/C++. Originally released in September 2023, it has already reached version 3.0 in just six months. In this article, we’ll cover the new features in the latest version and how to analyze this threat using ANY.RUN.
What’s new
BunnyLoader 3.0 comes with rewritten data-stealing modules, an improved keylogger, and a smaller payload size. What’s more, the creators have added DoS functionality, enabling the malware to launch HTTP flood attacks.
According to an update by hackers dated February 11, 2024, the latest version separates the modules for data theft, keylogging, and DoS into separate binaries.
What can BunnyLoader do?
BunnyLoader packs a wide range of malicious functions. The malware:
- Exfiltrates credentials.
- Logs keystrokes.
- Steals cryptoccurency wallets.
- Launches DoS attacks against target URLs.
- Drops additional malware.
This threat is rapidly evolving. Version 2.0 arrived just a month after the initial release, and the latest update — about 5 months after the previous. At this rate, it’s unlikely the creators will stop there.
BunnyLoader’s complex attack chain
The malware’s attack chain has become increasingly complex since its emergence. The current chain unfolds as follows:
- The initial compromise occurs via an undocumented dropper.
- It loads the PureCrypter payload onto the compromised system.
- PureCrypter then forks into two parallel branches.
The first branch: Runs the PureLogs loader, ultimately installing the PureLogs stealer on the system. We have provided a detailed analysis of this chain in our comprehensive report on the Pure malware family.
The second branch: Drops BunnyLoader, which in turn installs the Meduza malware on the system.
BunnyLoader sandbox analysis in ANY.RUN
The BunnyLoader execution chain typically unfolds as follows: The loader usually gets delivered to the victim’s system through a phishing email as a malicious attachment or link. During execution, BunnyLoader decompresses and decrypts itself in memory.
BunnyLoader then sets up persistence: it modifies registry keys or creates scheduled tasks. Next, the malware establishes communication with a C2 server, receives instructions and payloads, such as PureLogs. Optionally — depending on commands from the C2 — it downloads and executes additional payloads such as ransomware or banking trojans.
After executing its intended payloads, BunnyLoader may attempt to cover its tracks by deleting temporary files or logs.
About ANY.RUN
ANY.RUN’s flagship product is an interactive malware sandbox that helps security teams efficiently analyze malware.
Every day, a community of 400,000 analysts and 3000 corporate clients use our cloud-based platform to analyze Windows and Linux threats.
Key advantages of ANY.RUN for businesses:
- Interactive analysis: Analysts can “play with the sample” in a VM to learn more about its behavior.
- Fast and easy configuration. Launch VMs with different configurations in a matter of seconds.
- Fast detection: Detects malware within roughly 40 seconds of uploading a file.
- Cloud-based solution eliminates setup and maintenance costs.
- Intuitive interface: Enables even junior SOC analysts to conduct malware analysis.
Learn how ANY.RUN can benefit you or your security team. Schedule a free demo with one of our sales representatives, and we’ll walk you through real-world examples.
Jack Zalesskiy
Jack Zalesskiy is a technology writer with five years of experience under his belt. He closely follows malware incidents, data breaches, and the way in which cyber threats manifest in our day-to-day lives.
0 comments