Summary: ManticoraLoader is a newly observed malware-as-a-service (MaaS) being distributed by the threat actor DarkBLUP, known for previous malware like AresLoader and AiDLocker. This versatile malware employs advanced stealth techniques and is designed for extensive data gathering from infected systems, making it a potent tool for cybercriminal operations.
Threat Actor: DarkBLUP | DarkBLUP
Victim: Various targets | various targets
Key Point :
- ManticoraLoader is compatible with Windows 7 and later, allowing it to target a wide range of systems.
- The malware gathers extensive information from infected devices, aiding in tailored attacks.
- It features sophisticated obfuscation techniques, achieving a detection rate of 0/39 on Kleenscan.
- The loader can maintain persistence by placing files in auto-start locations on compromised systems.
- DarkBLUP limits its client base to 10, offering the service for a monthly rental fee of $500 to monetize its operations.
- The group appears to be expanding its arsenal while still utilizing AresLoader, indicating a strategy to diversify malicious offerings.
ManticoraLoader, a new malware-as-a-service (MaaS), was observed on the cybercriminal XSS forum being distributed by ‘DarkBLUP,’ an alias that was previously used to distribute malware from the DeadXInject group such as the still-active AresLoader malware and the AiDLocker ransomware.
The new malware variant has been offered by DeadXInject on its Telegram channel since around August 8, 2024.
ManticoraLoader Employs Stealth and Obfuscation
ManticoraLoader boasts an impressive array of features that make it a versatile and potent tool for cybercriminal operations. Researchers from CRIL (Cyble Research and Intelligence Labs) indicated that the malware is compatible with Windows 7 and later versions, including Windows Server, allowing it to target a wide range of systems still in use today.
One of its key features is a module designed to gather extensive information from infected devices, including IP address, username, system language, installed antivirus software, UUID, and date-time stamps. This detailed reconnaissance data is then transmitted back to a centralized control panel, enabling the threat actors to profile victims and tailor their attacks accordingly.
The loader’s modular design allows for easy extension of functionalities upon request, making it adaptable to various malicious objectives. ManticoraLoader also employs sophisticated obfuscation techniques to evade detection, with a reported detection rate of 0/39 on Kleenscan.
To further demonstrate its evasive capabilities, the actors posted a video showcasing the loader’s ability to bypass the 360 Total Security sandboxing solution.
The threat actors have also designed ManticoraLoader with persistence in mind, as it can reportedly place files into auto-start locations, ensuring its continued presence on compromised systems. This modular design also allows for easy expansion of functionalities, making the loader adaptable to various malicious objectives.
The threat actors behind ManticoraLoader have implemented a strict transaction process, limiting the number of clients to 10 and offering the service through the forum’s escrow service or direct contact via Telegram or TOX. This exclusivity may be a strategic move to maintain control and reduce exposure.
The service is offered for a monthly rental fee of $500, indicating the threat actors’ intention to monetize their creation. This pricing model suggests that ManticoraLoader is not merely a one-off tool, but rather a carefully crafted MaaS designed to generate a steady stream of revenue for the cybercriminals.
AresLoader Persists
The researchers, however, are unclear why the threat actor DarkBLUP remained inactive for more than a year after their success with the AiDLocker ransomware and AresLoader. As AresLoader remains still widely in use among cybercriminals, the researchers suggest that the group is not abandoning its previous project but rather expanding their arsenal to diversify their malicious offerings and expand monetization.
Source: https://thecyberexpress.com/researchers-link-manticoraloader-malware-ares
Views: 0