Podcasts
Research Saturday
Ep 356
Research Saturday 12.7.24
Ep 356 | 12.7.24

The JPHP loader breaking away from the pack.

Show Notes
Transcript

Dave Bittner: Hello, everyone, and welcome to the CyberWire's, "Research Saturday." I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining us. [ Music ]

Shawn Kanady: Storing your credentials in your browser is generally a bad idea. It's super convenient, you know, save my password, but this is exactly the type of thing that these stealers are going to grab. And over time, they'll have enough information from any given user, both personal and potentially corporate, to then do social engineering tactics and -- and escalate further that attacking.

Dave Bittner: That's Shawn Kanady, Global Director of Trustwave SpiderLabs. The research we're discussing today is titled, "Pronsis Loader: A JPHP-Driven Malware." [ Music ]

Shawn Kanady: How we stumbled across this loader malware was that our cyber threat intelligence team works with our threat hunters, and we were running a threat hunt campaign against the Latrodectus loader malware. And during that threat hunt campaign, our threat intelligence team was monitoring Virus Total to find any submissions of Latrodectus. So oftentimes, companies will or just anyone really will be uploading files to Virus Total for scans or things like that. And we're looking for Latrodectus. And in doing so, we found another loader that was installing Latrodectus. So, what you have here is an example of a loader malware known as Pronsis, installing another loader malware known as Latrodectus.

Dave Bittner: Wow. So, give us an overview here of what exactly Pronsis Loader is and -- and how it operates.

Shawn Kanady: Sure. So, Pronsis Loader is -- is yet another loader. There are many like them. Loader malwares in general are really designed to connect to a remote location that is -- that is controlled by a threat actor to download additional malware. So, it's really designed to -- it's really lightweight and it will reach out, pull down additional malware, generally in the form of a zip file or something else. And that payload that it's downloading could be anything from either another loader malware, or it could be an info stealer, anything that the threat actor is running as a campaign.

Dave Bittner: So, what prompted you all to classify Pronsis Loader as a distinct malware variant?

Shawn Kanady: That's a really good question. So, it's a distinct malware variant in that we hadn't seen it before. There are many loaders just like this one. This one is unique in its usage of JPHP, which is a Java implementation of PHP. There have been others that have used JPHP. It's not common. We've seen where Ice RAT, the Remote Access Trojan, was using JPHP. And so, as we were looking at the -- again, we're looking for loaders of Latrodectus malware. When we found this Pronsis Loader, we also saw another one called DFAC loader and they both use JPHP. Interestingly, the DFAC loader, it's probably part of this same threat actor group of tools. And the reason I say that is because the coding behind it is very similar. And so, we saw DFAC loader, its earliest variant in January of 2024. And as we're looking through different variants with similar infrastructure, code infrastructure I should say, we saw that the Pronsis Loader was earlier in November 2023. So, NSIS is an -- is called -- is known as Nullsoft Scriptable Install System. So, this is how the threat actors are crafting this binary. The DFAC loader uses "I Know [phonetic]" setup. So, it's just a different type of binary creation system. So, there's differences there. The other difference is Pronsis Loader doesn't use any SSL certificates. Generally, when you see malware, they may have certificates to evade detections or to look legitimate. The Pronsis Loader does not have that, whereas a DFAC loader does have it. So, you can see where the threat actor is maybe making their malware a little bit stronger as far as defense evasion goes. And beyond that, there's a password that is used in the DFAC loader. So, when it's unpacking, there's a -- there's a hard-coded password that is used when they're setting it up in the "I Know" setup program, whereas the Pronsis Loader does not have a password. So, a little bit different and but -- but very similar. So again, the code is very similar to each other, but the DFAC loader is probably a little bit more sophisticated in terms of defense evasion.

Dave Bittner: Where do you suppose Pronsis Loader stands when it comes to its general obfuscation techniques when you compare it to some of the other loaders you've seen?

Shawn Kanady: This is probably where I'm a little bit cynical. As far as obfuscation techniques, it's -- I wouldn't say that it's more sophisticated than others, really. A lot of these loaders are meant to be very lightweight, and so the obfuscation techniques are -- are limited in what you can do there.

Dave Bittner: So, in terms of the payloads, I mean you mentioned Latrodectus, are there other payloads that you've seen Pronsis Loader delivering?

Shawn Kanady: Yes. So, there's -- there's a big campaign that we've seen with Lumma Stealer. So -- so we have seen the Latrodectus, obviously. I've mentioned that it's another loader malware, but we're also seeing Lumma Stealer and Lumma Stealer has made its way in the news recently, and we've seen major campaigns involving Lumma Stealer. and Lumma Stealer for those not in the know, is an info stealing malware. Again, with -- with these loaders and info stealers, it's -- it's -- it's a part of a bigger operation generally. So, we'll see loader malware being used to drop info stealer malware and that info stealer malware is generally part of malware as a service campaign. So, threat actors can take that info stealing malware and get a lot of information from -- from different -- from users, from their browser credentials, crypto wallets, you name it, whatever they're looking to steal at the time, gathering a lot of information and then potentially using that information to do social engineering or logging into companies. One of the big targets would be like SSO credentials, so Single Sign-On credentials. They could leverage that to log into cloud apps and things of that nature, bypassing multi-factor authentication. So, that -- those are big prime targets for info stealer malware. [ Music ]

Dave Bittner: We'll be right back. [ Music ] Is there anything noteworthy with Pronsis Loader in terms of -- of how it handles persistence? You know, once it's on a machine, anything unusual or noteworthy there?

Shawn Kanady: From a persistence mechanism, not really, I wouldn't say so. A lot of these loader malwares are designed to reach out, grab whatever they're trying to load, and then just exit. Sometimes there's persistence mechanisms from like an AutoStar perspective. In some cases though, in a lot of cases actually, they'll load additional loader malware, such as the Latrodectus malware I mentioned before. And that loader malware will have additional capabilities where it will establish persistence mechanisms. It will do things such as it will run a PowerShell script to exclude the directory it's installed in from -- from -- from scans, things of that nature.

Dave Bittner: So, it can be kind of a -- a cascading nature here of -- of one handing off to the next?

Shawn Kanady: Exactly. Yes.

Dave Bittner: Yes. How widespread do you suppose this is? Do you -- do you have any sense for how far and wide this is being spread?

Shawn Kanady: I would say it's massive. It's hard to put numbers around these things because the loader malwares out there. There's many of them, there's hundreds of them really. The ecosystem for them is -- is -- is crazy as far as like the dark markets go. So, they're widespread. And very cheap to -- they're very cheap to deploy from a -- from a cost perspective for threat actors. And so, there's any number of ways that this loader malware can find its way on your system. Typical ways, you know, phishing of course, but there's also drive-by downloads or, you know, sidecar installations where you're looking to download some free software. You may get that free software, but you get a little extra with it, and it would be like the loader malware. And actually, we're seeing a lot of installations via -- using social engineering to -- to distribute the malware. That's -- that's pretty famous right now. So, all over on Facebook, you're going to see malvertising and you'll click the link. It could be anything. It could be anything from a job posting, so, "Click here to -- to submit your application to this job," and that will then bring you in a loader malware and then down the chain, right? So, loader malware comes, it downloads payload profile of Latrodectus or some info stealer. The next thing you know, your credentials are being stolen and sold in the dark market.

Dave Bittner: So, what are your recommendations then? I mean, how -- how should organizations best protect themselves here?

Shawn Kanady: Well, this is where it gets, you know, I think awareness is key. A lot of times, you know, the ransomware, the ransomware breaches get a lot of media play. And so, unfortunately that's the end payload or that's the end game for a lot of this, right? And so, having an understanding of what may come before that or "left of boom" as they say is -- is really important. You know, we're getting into a situation where a lot of times, you know, especially with cloud apps or just remote work from home, you know, we think about protecting our corporate assets from EDR tools, which will -- which will help. Those definitely help. But what happens when your end users are using their personal assets to then log into your Office 365 or, you know, sharing with the kids at home who are, you know, downloading things? So, it gets extremely difficult. So, having an awareness of the whole ecosystem of how it all works, from loader malware to info stealers, things like -- and really like info stealers are a big one. There's a huge market for info logs that info stealers present to threat actors. So, things like storing your credentials in your browser's generally a bad idea. It's super convenient, you know, "Save My Password." But this is exactly the type of thing that these stealers are going to grab. And over time, they'll have enough information from any given user, both personal and potentially corporate, to then do social engineering tactics and -- and escalate further that attack chain.

Dave Bittner: Yes, I mean, it's really a story of constant vigilance, I suppose. I mean, that's the -- that's where we find ourselves, right?

Shawn Kanady: Yes, it really is. You know, the threat actors are moving a lot faster now. So, with, you know, AI and things of that nature, social engineering is faster, quicker, more efficient. So, staying vigilant, one step ahead, continual security awareness, even though we know that, you know, it's -- it's easy to dupe people into clicking the link or downloading the attachment, but I think from a corporation standpoint or for any given company, just having an understanding of the whole picture, of the whole economy of malware as a service, how it all works and how you end up with potentially ransomware, which is what is on top of mind for -- for most companies is, "I don't want to get the ransomware. How do we protect against ransomware?" But if we can move, you know, further left in the kill chain and looking at info stealers and Remote Access Trojans and these things, that will help mitigate most of your ransomware attacks because the ransomware doesn't just end up on the system.

Dave Bittner: Yes, it has to come from somewhere.

Shawn Kanady: Exactly. And so, there's -- there's a whole chain and a lot of times it -- it could be even multiple threat actors, right? So, you'll have threat actors who are designing these loader malwares and then other threat actors that are renting that service to run their campaign, which may be info stealing malware, right? And so, then --

Dave Bittner: Yes.

Shawn Kanady: -- that -- that information from the info stealing malware is then sold to other threat actors who may use that information to then log into company environment and deploy their ransomware or other malware.

Dave Bittner: It's interesting to me, I mean as you look at this as a part of the larger ecosystem and you're looking forward at trends, like where are we headed? You know, what -- what does this tell us about the broader overall trends of things? You know, who's selling what and who's buying what and how are they coming after people? Do you have any insights there of -- of like you know, where you think -- does this inform where we think we may be headed?

Shawn Kanady: In terms of just the who and what of who's behind it?

Dave Bittner: Well, the activity that you all are tracking, and this is a piece of the puzzle, you know, and sometimes you see that certain techniques are on the rise, or certain things are on decline. And as -- as you say, you know, the -- these threat actors, they're moving at a faster velocity, and they're constantly changing. Is this the shape of things to come, this, you know, as we talked about these cascading use of loaders? Is this here to stay and what are your insights there?

Shawn Kanady: Yes, I think loader -- I mean loaders have been around forever and so have info Stealers, and they're not going to go away. I think the speed at which they are being distributed is increasing exponentially, I would say for two reasons. One, social engineering is getting easier for threat actors given AI. Like, that -- that's really helping. Social media, because a lot of this malware is distributed via social media and we are seeing that trending lately, which is really interesting because until -- until we start looking at how the social media platforms are protecting consumers of that platform, I think that'll continually grow and escalate. You know, there -- we certainly -- the World Wide Web of things is growing crazy, right? So, like there's just a lot of junk in -- on the Internet these days. The Internet's broken, but with social media platforms, all of them, right, they -- they're being used by the threat actors and it's almost -- it's -- it's a little scary to think about in that the -- the -- the companies behind those platforms aren't able to keep up with it, I don't think. Well, we're seeing a lot of infection chains within those platforms. So, we recently did a blog on the Over Stealer malware. It's another info stealer that was being spread through Facebook, and it -- it's designed just like any other info stealer where it's -- it's taking cash credentials, it's looking at crypto wallets, things of that nature, but it's also looking for Facebook account credentials, business account credentials. So, what it does then is it will -- it will steal your Facebook business account credentials and then use any advertising dollars you have in that business account to then further spread more of itself, right? Spread more malware. [ Music ]

Dave Bittner: Our thanks to Shawn Kanady from Trustwave SpiderLabs for joining us. The research is titled, "Pronsis Loader: A JPHP Driven Malware." We'll have a link in the Show Notes. And that's "Research Saturday" brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the Show Notes or send an e-mail to cyberwire@n2k.com. We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector. From the Fortune 500 to many of the world's pre-eminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at n2k.com. This episode was produced by Liz Stokes. We're mixed by Elliott Peltzman and Tre Hester. Our Executive Producer is Jennifer Eiben. Our Executive Editor is Brandon Karpf. Simone Petrella is our President. Peter Kilpe is our Publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ]

Research Saturday
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Saturdays
Creator: N2K Networks, Inc.