CyberWire Daily - The JPHP loader breaking away from the pack. [Research Saturday]
Episode Date: December 7, 2024Shawn Kanady, Global Director of Trustwave SpiderLabs, to discuss their work on "Pronsis Loader: A JPHP-Driven Malware Diverging from D3F@ck Loader." Trustwave SpiderLabs has uncovered Pronsis Loader,... a new malware variant using the rare programming language JPHP and stealthy installation tactics to evade detection. The malware is capable of delivering high-risk payloads like Lumma Stealer and Latrodectus, posing a significant threat. Researchers highlight its unique capabilities and infrastructure, offering insights for bolstering cybersecurity defenses. The research can be found here: Pronsis Loader: A JPHP-Driven Malware Diverging from D3F@ck Loader Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities, solving some of the hard problems,
and protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
Storing your credentials in your browser is generally a bad idea.
It's super convenient, you know, save my password.
But this is exactly the type of thing that these dealers are going to
grab. And over time, they'll have enough information from any given user, both personal
and potentially corporate, to then do social engineering tactics and escalate further that
attaching. That's Sean Kennedy, Global Director of Trustwave Spider Labs.
The research we're discussing today is titled,
Francis Loader, a JPHP-driven malware.
How we stumbled across this Loader malware was that
our cyber threat intelligence team works with our threat hunters.
And we were running a threat hunt campaign against the Latrodectus loader malware.
And during that threat hunt campaign, our threat intelligence team was monitoring VirusTotal
to find any submissions of Latrodectus.
So oftentimes companies will, or just anyone really,
will be uploading files to VirusTotal for scans or things like that.
And we're looking for Latrodectus.
And in doing so, we found another loader that was installing Latrodectus.
another loader that was installing Latrodectus. So what you have here is an example of a loader malware known as Pronsys
installing another loader malware known as Latrodectus.
Wow. So give us an overview here of what exactly Pronsys Loader is and how it operates.
Sure. So Pronsys Loader is yet another loader.
There are many like them.
Loader malwares, in general, are really designed to connect to a remote location that is controlled
by a threat actor to download additional malware.
So it's really designed to, it's really lightweight,
and it will reach out, pull down additional malware,
generally in the form of a zip file or something else.
And that payload that it's downloading could be anything
from either another loader malware, or it could be an info stealer, anything that the threat actor
is running as a campaign.
So what prompted you all to classify
process loader as a distinct malware variant?
That's a really good question. So it's a distinct malware variant
in that we hadn't seen it before.
There are many loaders just like this one. This one is unique in its usage of JPHP,
which is a Java implementation of PHP. There have been others that have used JPHP. It's not common.
have used JPHP. It's not common. We've seen where IceRat, a remote access Trojan, was using JPHP.
And so as we were looking at the, again
we're looking for loaders of Latrodectus malware.
When we found this Pronsys loader, we also saw another
one called DFAC loader, and they both use JPHP.
Interestingly, the DFAC loader, and they both use JPHP. Interestingly, the DFAC loader, it's probably part of this same ThreatActor group of tools.
And the reason I say that is because the coding behind it is very similar.
And so we saw DFAC loader, its earliest variant in January of 2024.
And as we're looking through different variants with similar infrastructure, code infrastructure, I should say,
we saw that the Pronsys loader was earlier in November
2023. So NSIS is
known as Nullsoft Scriptable Install System.
So this is how the threat actors are crafting this binary.
The DFAC loader uses INO setup.
So it's just a different type of binary creation system.
So there's differences there.
The other difference is Pranzis loadader doesn't use any SSL certificates.
Generally, when you see malware, they may have certificates to evade detections or to look legitimate.
The Pronsys Loader does not have that, whereas the D-Fact Loader does have it.
So you can see where the threat actor is maybe making their malware a little bit stronger as far as defense evasion goes.
And beyond that, there's a password that is used in the DFAC loader.
So when it's unpacking, there's a hard-coded password that is used when they're setting it up in the INO setup program.
Whereas the Pronsys loader does not have a password.
So a little bit different, but very similar.
So again, the code is very similar to each other,
but the DFAC loader is probably a little bit more sophisticated
in terms of defensive agent.
Where do you suppose Pronsys loader stands
when it comes to its
general obfuscation techniques
when you compare it to some of the other loaders
you've seen?
This is probably where I'm a little bit cynical.
As far as obfuscation techniques,
I wouldn't say that it's more
sophisticated than others, really.
A lot of these loaders are meant to be very lightweight.
And so the obfuscation techniques are limited in what you can do there.
So in terms of the payloads, I mean, you mentioned Lactodectus.
Are there other payloads that you've seen process loader delivering
yeah so there's there's a big campaign that we've seen um with luma stealer so so we have seen the
lactodectus obviously i've mentioned that it's another uh loader malware but we're also seeing
luma stealer and luma stealer has made its way in the news recently. And we've seen major campaigns involving LumaStealer.
And LumaStealer, for those not in the know, is an info-stealing malware.
Again, with these loaders and info-stealers, it's part of a bigger operation generally.
So we'll see loader malware being used to drop info stealer malware.
And that info stealer malware is generally part of malware as a service campaign.
So threat actors can take that info stealing malware
and get a lot of information from users,
from their browser credentials, crypto wallets, you name it,
whatever they're looking to steal at the time,
gathering a lot of information,
and then potentially using that information to do social engineering
or logging into companies.
One of the big targets would be SSO credentials,
so single sign-on credentials. They could leverage that to
log into cloud apps and things of that nature. Bypassing,
multi-factor authentication.
Those are big prime targets for InfoStealer malware.
We'll be right back.
We'll be right back.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian
and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. Protect
your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Is there anything noteworthy with process loader in terms of how it handles persistence?
Once it's on a machine, anything unusual or noteworthy there?
From a persistence mechanism, not really, I wouldn't say so.
A lot of these loader malwares are designed to reach out, grab whatever they're trying to load, and then just exit.
Sometimes there's persistence mechanisms from an autostar perspective.
In some cases, though, in a lot of cases, actually, they'll load additional loader malware,
such as the Latrodectus malware I mentioned before.
And that loader malware will have additional
capabilities where it will establish
persistence mechanisms. It will
do things such as
it will run
a PowerShell script to
exclude the directory it's
installed in from
scans, things of that nature.
So it can be kind
of a cascading nature here
of one handing off to the next.
Exactly, yep.
Yeah.
How widespread do you suppose this is?
Do you have any sense for how far and wide this is being spread?
I would say it's massive.
It's hard to put numbers around these things
because the loader malware is out there. There's many of them. It's hard to put numbers around these things because the loader malwares out there,
there's many of them.
There's hundreds of them, really.
The ecosystem for them is crazy
as far as the dark markets go.
So they're widespread
and very cheap to...
They're very cheap to deploy
from a cost perspective
for threat actors.
And so
there's any number of ways that this
loader malware can find its way on your system.
Typical
ways, phishing, of course.
But there's also
drive-by downloads or
sidecar
installations where you're
looking to download some free
software. You may get
that free software, but you get a little extra
with it, and it would be like the loader
malware. And actually, we're
seeing a lot of
installations via
using social engineering
to distribute the malware.
That's pretty famous right now.
So all over on Facebook, you're going to see Malvertising.
And you'll click the link.
It could be anything.
It could be anything from a job posting.
So click here to submit your application to this job.
And that will then bring you in a loader malware
and then down the chain, right? So loader malware comes, it downloads a payload profile of
Latrodectus or some info stealer. The next thing you know, your credentials are being stolen and
sold in the dark market. So what are your recommendations then? I mean, how should organizations best protect themselves here?
Well, this is where it gets, you know, I think awareness is key.
A lot of times, you know, the ransomware breaches get a lot of media play.
And so, unfortunately, that's the end payload or that's the end game for a lot of this, right?
And so having an understanding of what may come before that or left of boom, as they say, is really important.
cloud apps or just remote work from home.
We think about protecting our corporate assets from EDR tools, which will help. Those definitely help.
But what happens when your end users are using their personal assets
to then log into your Office 365 or
sharing with the kids at home who are downloading things?
So it gets extremely difficult.
So having an awareness of the whole ecosystem
of how it all works from loader malware to InfoStealers,
things like, and really InfoStealers are a big one.
There's a huge market for info logs
that InfoStealers present to threat actors.
So things like storing your credentials in your browser is generally a bad idea.
It's super convenient, you know, save my password.
But this is exactly the type of thing that these stealers are going to grab.
And over time, they'll have enough information from any given user, both personal and potentially corporate,
to then do social engineering tactics and escalate further that attack chain.
Yeah, I mean, it's really a story of constant vigilance, I suppose.
I mean, that's where we find ourselves, right?
Yeah, it really is.
You know, the threat actors are moving a lot faster now.
So with, you know, AI and things of that nature,
social engineering is faster, quicker, more efficient.
So staying vigilant one step ahead.
Continual security awareness,
even though we know that, you know,
it's easy to dupe people into clicking the link or downloading the
attachment.
But I think from a corporation standpoint or for any given company, just having an understanding
of the whole picture, the whole economy of malware as a service, how it all works, and
how you end up with potentially ransomware, which is what is on top
of mind for most companies is, I don't want to get the ransomware. How do we protect against
ransomware? But if we can move further left in the kill chain and looking at InfoStealers and
Remote Access Trojans and these things, that will help mitigate most of your ransomware attacks.
The ransomware doesn't just end up on the system.
It has to come from somewhere.
Exactly.
And so there's a whole chain.
And a lot of times it could be even multiple threat actors, right?
So you'll have threat actors who are designing these loader malwares, and then other threat
actors that are renting that service to run their campaign,
which may be info-stealing malware, right?
And so then that information from the info-stealing malware
is then sold to other threat actors
who may use that information to then log into company environment
and deploy their ransomware or other malware.
It's interesting to me.
I mean, as you look at this as a part of the larger ecosystem and you're looking forward
at trends, like where are we headed?
What does this tell us about the broader overall trends of things?
Who's selling what and who's buying what and how are they coming after people?
Do you have any insights there of where you think, does this inform where we think we may be headed?
In terms of just the who and what of who's behind it?
Well, the activity that you all are tracking, and this is a piece of the puzzle, you know,
and sometimes you see that certain techniques are on the rise or certain things are on decline.
And as you say, you know, these threat actors, they're moving at a faster velocity and they're
constantly changing.
Is this the shape of things to come?
This, you know, as we talked about, these cascading use of loaders.
Is this here to stay?
And what are your insights there?
Yeah, I think loaders have been around forever.
And so have info stealers.
And they're not going to go away. I think the speed at which they are being distributed
is increasing exponentially, I would say, for two reasons.
One, social engineering is getting easier for threat actors given AI.
That's really helping.
Social media, because a lot of this malware is distributed via social media,
and we are seeing that trending lately,
which is really interesting because
until we start looking at how
the social media platforms are protecting consumers of that platform,
I think that'll continually grow and escalate.
You know,
we certainly,
the worldwide web of things is growing crazy,
right?
So like,
there's just a lot of junk on the internet these days.
The internet's broken.
But with social media platforms,
all of them,
right? They're being used by the threat actors. And internet's broken. But with social media platforms, all of them,
they're being used by the threat actors.
And it's almost... It's a little scary to think about
in that
the companies behind those
platforms
aren't able to keep up with it,
I don't think. We're seeing a lot of infection
chains within those platforms.
So we recently did a
blog on the Overstealer malware. It's another InfoStealer that was being spread through Facebook.
And it's designed just like any other InfoStealer where it's taking cash credentials,
it's looking at crypto wallets, things of that nature, but it's also looking for
Facebook account credentials,
business account credentials. So what it does then is it will steal your Facebook business
account credentials and then use any advertising dollars you have in that business account to then
further spread more of itself, right? Spread more malware.
Our thanks to Sean Kennedy from Trustwave Spider Labs for joining us.
The research is titled,
Pronsys Loader, a JPHP-driven malware.
We'll have a link in the show notes.
And that's Research Saturday brought to you by N2K CyberWire.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver
the insights that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show, please share
a rating and review in your favorite
podcast app. Please also fill
out the survey in the show notes or send an
email to cyberwire at n2k.com. We're privileged that N2K Cyber Wire is part of the daily routine of the
most influential leaders and operators in the public and private sector, from the Fortune 500
to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy
for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your team smarter.
Learn how at n2k.com.
This episode was produced by Liz Stokes.
We're mixed by Elliot Peltzman and Trey Hester.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilpie is our publisher.
And I'm Dave Bittner.
Thanks for listening. We'll see you back here next time.