BunnyLoader 3.0 Detected With Advanced Keylogging Capabilities

BunnyLoader is a rapidly developing malware that can steal information, credentials, and cryptocurrencies while also delivering new malware to its victims.

Since its first detection in September 2023, the BunnyLoader malware as a service (MaaS) has regularly enhanced its features. 

According to Palo Alto Networks, the consistent improvements of tactics, techniques, and procedures (TTPs) such as infrastructure, packers, encryption, and exfiltration methods aid in the attacker’s ability to avoid detection. 

It also aims to impede cybersecurity researchers’ capacity to identify and evaluate the actions of threat actors. 

The threat actor responsible for BunnyLoader declared the release of BunnyLoader 3.0 on February 11, 2024, claiming that the malware has been “completely redesigned and enhanced by 90%.”

The threat actor asserts that BunnyLoader payloads have been improved to include:

  • Payloads/modules “completely rewritten for improved performance”
  • Reduced payload size
  • Advanced keylogging capabilities

Evolution Of BunnyLoader

BunnyLoader has developed at a quick pace. Version 1.0, marketed as a C/C++ loader malware and MaaS botnet on the dark web. 

The “Player” or “Player_Bunny” threat actor is the one responsible for this malware. The malware’s creator prohibits deploying it on Russian systems.

By September 2023’s end, BunnyLoader had a rapid retooling. BunnyLoader 2.0 was released by the author and seen in the wild by the end of September.

A “private” version of the malware was made available by the creator in October for $350. In contrast to the initial release, the creator concealed this private version and released frequent updates to circumvent antivirus protections. 

Specifics Of BunnyLoader 3.0

Senior threat intelligence researcher @RussianPanda9xx publicly shared the release of BunnyLoader 3.0 on X (Twitter).

BunnyLoader 3.0, the most recent version, employs a distinct directory structure on its C2 servers.

The actual malicious payload in BunnyLoader 3.0 is delivered by the threat actor using a dropper that is incorporated with the BunnyLoader malware and is sent via a CMD file.

X (formerly known as Twitter) post by threat intelligence researcher @RussianPanda

When downloading the BunnyLoader 3.0 modules, researchers discovered the following URL structure.

BunnyLoader 3.0 module URLs

Advanced KeyLogging Capabilities

“The BunnyLoader 3.0 keylogger records all keystrokes, saving them to log files in the %localappdata%\Temp folder.

Palo Alto Networks researchers shared with Cyber Security News that the keylogger also attempts to identify when the victim authenticates to sensitive applications or services.

BunnyLoader keylogger log file locations

Additionally, the BunnyLoader 3.0 stealer module operates independently, exfiltrated data directly into the C2 server, and stole passwords.

Using a particular communication routine, the BunnyLoader 3.0 clipper module occasionally checks in with the C2.

By providing the target with the name of a cryptocurrency wallet and the associated wallet address that the threat actor controls, the C2 triggers the clipper.

The BunnyLoader 3.0 DoS module uses a particular communication procedure to wait for commands from the C2.

The module can be instructed by the C2 to launch an HTTP flood attack using the GET or POST protocol against a given URL.

Hence, by revealing these changing strategies and the dynamic nature of the threat, users must be better equipped to strengthen their defenses and safeguard their assets.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Leave a Reply

Your email address will not be published. Required fields are marked *