ModernLoader Used by hackers to Infect Systems with Stealers and Cryptominers
Reading Time: 2 minutes

Hackers using MordernLoader malware along with other malwares such as RedLine Stealer, and cryptocurrency miners on compromised systems between March and Jun 2022.

Cisco Talos researcher Vanja Svajcer said in a report, “The actors use PowerShell, .NET assemblies, and HTA and VBS files to spread across a targeted network, eventually dropping other pieces of malware, such as the SystemBC trojan and DCRat, to enable various stages of their operations.” 

ModernLoader provides attackers remote access to victims’ machines and enables them to deploy additional malware, steal sensitive information, or even ensnare the computer in a botnet.

According to Cisco Talos the infections were previously undocumented though Russian-speaking threat actor, were able to cite the use of off-the-shelf tools.Eastern European users in Bulgaria, Poland, Hungary, and Russia were their potential targets.

Cybersecurity first discovered infection chains that attempted to compromise vulnerable web applications such as WordPress and CPanel to distribute the malware by means of files that masquerade as fake Amazon gift cards.

During the initial stage a HTML Application (HTA) file runs a PowerShell script hosted on the command-and-control (C2) server. This initiates the deployment of intertim payloads and finally injects the malware using a technique called process hollowing.

ModernLoader (aka Avatar bot) is a simple .NET remote access trojan, equipped with features to gather system information, execute arbitrary commands, or download and run a file from the C2 server. This enables the adversary to alter the modules in real-time.

Investigation carried out by Cisco suggest two earlier campaigns in March 2022 with similar modus operandi that leverage ModerLoader as the primary malware C2 communications and serve additional malware. This included XMRig, RedLine Stealer, SystemBC, DCRat, and a Discord token stealer, among others.

Svajcer said, “These campaigns portray an actor experimenting with different technology. The usage of ready-made tools shows that the actor understands the TTPs required for a successful malware campaign but their technical skills are not developed enough to fully develop their own tools.”

Related Articles:
Twilio Breach Compromised Authy Two-Factor Accounts of Some Users
Interpol Says We Can’t Arrest Our Way out of Cybercrime
Critical VMware RCE flaw Exploited by Hackers to Install Backdoors