Malware Loaders Continue to Evolve, Proliferate

Loaders, for the most part, have one job: grab malicious executables or payloads from an attacker-controlled server. But that doesn’t mean there isn’t more happening under the hood of some, such as a user-friendly UI, self-healing capabilities, or the equivalent of a retail shop where a botmaster can sell his bots to potential clients.

Loaders are essentially basic remote access Trojans that give an attacker the ability to remotely interact with and control a compromised computer, or bot. While traditionally lightweight (smaller than 50 KB in size) in order to bypass detection by antivirus and other security monitoring technology, loaders evolve, and their viability to cybercriminals remains.

Two relatively new loaders, Aurora and Kardon, may be an indication of what kinds of features criminals are trying to incorporate into these bits of malicious code. These new loaders have been advertised on lower-tier Russian-language forums since March and May respectively—most loaders start out on lower-tier Russian forums before they pop up on more elite English-speaking forums—and are more complex than the simpler loaders that are generally preferred by buyers.

Aurora is making buyers take notice, not only because it is advertised as fully undetectable, but also because it allows the creation of resilient botnets by using a system of self-healing bots. Once executed, the loader instructs bots to create three branches of independent botnets, and down the road if it detects that one branch has been compromised, it will self-heal from the other two and spread the loaders to new victims, creating a new botnet. This makes takedowns challenging.

Aurora also comes with relatively standard features for a loader. Aurora’s capabilities including a control panel, the ability to classify victims based on location, the ability to attach multiple files to the initial loader as well as files from the seller and customers’ servers. It can also execute commands from the victim’s command terminal and report back system information to the attacker, or self-delete if detected.

Kardon, meanwhile, arrives on compromised computers with a fully integrated botshop, which is a simple platform that can be used to sell access to bots from the attacker’s botnet to other threat actors. Unlike other feature-heavy loaders that are usually flamed on underground forums because they increase the risk for detection, Aurora and Kardon are garnering some interest, including mentions about Kardon on top-tier forums.

Loaders are generally the first-stage in a compromise, and are spread through a variety of common vectors, including email or drive-by downloads. Unlike their cousins, the dropper, loaders don’t come pre-installed with payloads, and instead they download them from a remote URL. Updates and new features generally come in the early stages of a loader’s development. In some cases, the source code for a particular loader may be publicly leaked and several variants begin popping up on different forums.

These updates are long way from Smoke Loader, which has been distributed since 2011 and it too has been updated and patched numerous times since. Smoke Loader is still used today, and analysts are aware of its use in multiple botnet attacks and infections. As such, this loader serves as an example of a successful loader life cycle. Initially, there were two versions of Smoke, one a resident loader that came attached with a malicious payload, and a non-resident version that allowed a threat actor to remotely upload additional payloads.

It immediately gained favor on forums for its size and ability to bypass antivirus and firewall detection. Within months it was advertised on top-tier Russian- and English-speaking forums where sellers and buyers vouched for its capabilities. Smoke’s progression also changed threat actors’ behavior patterns in the later stages of the loader’s development to the point where they eventually begin to purchase entire botnets, as opposed to acquiring just one bot and spreading the loader themselves. Successful loaders can also become integrated into exploit kits; Smoke, for example, was part of the Rig exploit kit for some time. Some key arrests, however, have stalled the activity around a number of major exploit kits.

Flashpoint analysts believe new loaders such as Aurora and Kardon will travel a similar path as Smoke Loader, beginning on lower-tier forums before reaching the top tier. As the loaders grow in popularity, based on the prior history of loader development and implementation, Flashpoint analysts assess with high confidence that they will likely receive upgrades and new features that keep them relevant in the cybercriminal underground.