Sekoia identified an undocumented .NET loader, dubbed CustomerLoader, that can retrieve, decrypt, and execute subsequent payloads. Beginning in early June, numerous threat actors actively distributed this loader through deceptive phishing emails, YouTube videos, and web pages that mimicked genuine websites.
The name CustomerLoader was assigned to this malware due to its utilization of the term "customer" within its C2 communications and loading functionalities.
Diving into details
Using CustomerLoader, criminals can download various types of malware families, such as infostealers, RATs, and commodity ransomware.
- These payloads are delivered as dotRunpeX samples, which utilize several anti-analysis techniques.
- Based on the evaluation, it is highly likely that CustomerLoader is connected to a Loader-as-a-Service, although the specific service remains unidentified.
- It is plausible that the developer of dotRunpeX added CustomerLoader as a new phase before executing the dotRunpeX injector.
Details of subsequent payloads
The researchers detected over 40 known malware families distributed by CustomerLoader.
- These include info-stealers sold as Malware-as-a-Service (Redline, Formbook, Vidar, Stealc, Raccoon, and Lumma); RATs available on GitHub (AsyncRAT, QuasarRAT, Remcos, njRAT, and XWorm); and others such as Agent Tesla, LgoogLoader, SectopRAT, Darkcloud, and WarzoneRAT.
- They also discovered botnets linked to certain malware families distributed through CustomerLoader. Below are the counts of unique botnets associated with each malware family:
- Redline: More than 80 botnets
- Quasar: 45 botnets
- Vidar: 9 botnets
- Remcos: 6 botnets
- Stealc: 4 botnets
- Formbook: 4 botnets
The bottom line
Although CustomerLoader may not employ advanced techniques on its own, when combined with the dotRunpeX injector, it effectively lowers the detection rate of the final payload, enabling attackers to enhance their success rate in compromising systems. The multitude and diversity of malware families loaded by CustomerLoader during the first half of June indicate a widespread threat.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/900b_shutterstock_1454959556_1.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/67b3_shutterstock_529183144.jpg)
