Security researchers have started seeing attack campaigns that use a relatively new malware-as-a-service (MaaS) tool called AresLoader. The malicious program appears to be developed and used by several members of a pro-Russia hacktivist group and is typically distributed inside decoy installers for legitimate software.
Security researchers from threat intelligence firm Intel 471 first spotted AresLoader in November when it was advertised by a user with the monikers AiD Lock and DarkBLUP on Telegram and two well-known underground forums. AiD Lock is not a newcomer to malware development and was previously associated with the AiD Locker ransomware-as-a-service (RaaS) program as well as with a group called PHANTOM DEV or DeadXInject Hack.
The PHANTOM DEV group itself was involved in hacktivist activities last year and claimed to be affiliated with a larger pro-Russia hacktivist group known as the Red Hackers Alliance Russia (RHA R). In general, hacktivists are driven by ideology or nationalism, whereas the majority of cybercriminals are motivated by financial gain and prefer to remain apolitical, treating their malicious activities as purely business.
However, since the war in Ukraine started we've seen examples of traditional cybercriminal groups taking sides, a noteworthy example being the now defunct Conti ransomware gang which threatened to launch attacks against Western critical infrastructure in support of Russia. Both Russia and Ukraine have traditionally been cybercrime hotspots, so it's not surprising that some hackers will step up to support their governments when their countries are engaged in a military conflict.
"Evidence suggests multiple members of this group [Red Hackers Alliance Russia] are either users or administrators of the AresLoader MaaS," the Intel 471 analysts said in a new report. "The shift in tactics, techniques and procedures (TTPs) of these groups to align more closely with cybercriminals, while supporting nation-state political objectives, continues to be observed more frequently."
The potential targets for Russian hacktivists extend beyond Ukraine, to the Western governments providing financial and military aid to the country, so organisations in the West should have detection capabilities in place for any tools these groups use, including AresLoader now.
Multiple AresLoader campaigns observed
Malware loaders are a category of Trojan applications with basic capabilities that are generally used as first-stage payloads in attacks to give attackers remote access to systems and the ability to deploy additional payloads. Such Trojans are available on the underground market as a service, where the buyer pays a monthly fee and receives customised variants of the malware.
AresLoader is advertised for $300 per month, a subscription that includes five custom builds. The service also offers an optional "binder" feature where a legitimate application can be bundled together with the trojan to create a mock installer. When executed, the mock installer will launch the installer for the legitimate application, as well as a .bat script via the Windows command line (cmd.exe).
The .bat script contains three PowerShell commands that perform different tasks. The first one adds the entire C:\ partition to the Windows Defender exclusion list, the second one downloads a malicious payload as a .dll file from a remote URL, and the third command fetches and executes another .bat script that launches the .dll payload via the system's rundll32.exe.
Once deployed on a system, AresLoader checks if it has administrator privileges. If it doesn't it attempts to elevate its privileges using the Windows ShellExecuteA application programming interface (API) and the “runas” command. Then it creates a scheduled task for persistence to ensure that it's executed at reboot, as well as a registry key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run. The Trojan has basic download and execute capabilities that are used to deploy additional payloads.
"Not many instances of AresLoader have been discovered in the wild at present, but the loader MaaS does appear to have a few 'customers,'" the Intel 471 researchers said. Payloads Intel 471 and other researchers have observed thus far include:
- SystemBC, a back door and socket secure internet protocol (SOCKS) proxy tunnel
- Lumma Stealer, a popular stealer MaaS
- StealC, a new stealer MaaS that offers a configurable targeting system
- Aurora Stealer, a stealer MaaS written in the Golang programming language
- Laplas clipper, a cryptocurrency clipper written in .NET and Golang
Intel 471 has observed two attack campaigns so far in which AresLoader was used. One was in January and involved AresLoader being deployed by other malware programs instead of being distributed as a rogue installer. In that campaign, attackers used existing deployments of the SystemBC backdoor and the Amadey Trojan, both of which operate as botnets, to install AresLoader. The attackers then proceeded to deploy the Laplas clipper and cryptocurrency mining malware.
Another campaign was observed and reported by malware researchers Roberto Martinez and Taisiia Garkava. That campaign used the binder feature on the AresLoader control panel to generate rogue installers for legitimate applications that deployed the Raccoon Stealer malware which in turn installed the AresLoader trojan. The trojan was then used to deploy additional payloads, including StealC and SystemBC.
The legitimate applications for which AresLoader rogue installers were discovered on VirusTotal include Revo Uninstaller Pro, Wise Care 365, CCleaner Pro, Bandicam Screen Recorder, Freemake Video Converter and Outbyte Driver Updater.
Intel 471 recommends that organisations monitor for scheduled tasks created from bat or cmd files, monitor for changes to the Windows Defender exception list, enforce the evaluation of code signing for .exe files and MSI installers to detect tampering and rogue installers and turn on logging for PowerShell. The company's report also contains indicators of compromise and MITRE ATTCK Framework TTPs associated with the AresLoader campaigns seen so far.