An unrecorded .NET Loader was identified during routine threat hunting that downloads, decrypts, and executes a wide range of malicious payloads.
Multiple threat actors extensively distributed this new loader in early June 2023 through the following mediums:-
The cybersecurity researchers at Sekoia identified this new .NET loader and named this newly discovered loader malware “CustomerLoader.”
Security analysts appointed this name due to its Command and Control (C2) communications containing the term “customer” and its loading functionalities.
CustomerLoader exclusively retrieves dotRunpeX samples, which in turn deliver a diverse range of malware families like:-
In March 2023, the security experts at Checkpoint publicly documented dotRunpeX as a .NET injector that is equipped with multiple anti-analysis techniques.
The association between CustomerLoader and an undisclosed Loader-as-a-Service is highly probable.
The dotRunpeX developer may have added CustomerLoader as a stage before the injector is executed.
CustomerLoader samples employ multiple code obfuscation techniques, disguising themselves as legitimate apps. This slows down and extends the analysis, likely due to easy-to-use .NET code obfuscation tools.
However, there are numerous such tools that are accessible via NotPrab/.NET-Obfuscator GitHub repository, even for non-experts as well.
CustomerLoader uses AES in ECB mode for string obfuscation, with the decryption key stored in plaintext within the PE.
CustomerLoader evades detection by patching the AmsiScanBuffer function in amsi.dll, returning AMSI_RESULT_CLEAN to bypass antivirus. This marks the buffer as clean and permits the safe execution of malicious payloads.
The loader executes the customer payload following this process:-
The method of code reflection is obfuscated by shuffling, enabling the loading of .NET functions using the following function:-
The encrypted payloads are retrieved by the CustomerLoader samples from their C2 server, with each payload linked to a unique customer ID that is hosted at:-
The CustomerLoader samples were directly connected to C2 server IP 5.42.94[.]169 via HTTP between 31 May and 20 June 2023. While the C2 server switched to the domain kyliansuperm92139124[.]sbs and HTTPS, protected by Cloudflare on 20 June 2023.
The domain acts as a proxy, while the backend server remains 5.42.94[.]169. This C2 server changes likely aims to evade network detections and hinder security researchers’ analysis, according to Sekoia.io analysts.
Here below we have mentioned all the malware families that are distributed by CustomerLoader:-
CustomerLoader distributes the following malware families, each associated with a distinct number of unique botnets:-
CustomerLoader, when combined with the dotRunpeX injector, enhances compromise rates by reducing the detection of the final payload, despite lacking advanced techniques.
In a resounding triumph for justice, U.S. District Judge Kathryn Kimball Mizelle has sentenced Vitalii…
Hackers are plotting to benefit from the generosity of Halloween, Thanksgiving, and Christmas shoppers using…
The LLMs (Large Language Models) are evolving rapidly with continuous advancements in their research and…
In the dynamic realm of mobile application security, cybercriminals employ ever more sophisticated forms of…
A recent campaign has been observed to be delivering DJvu ransomware through a loader that…
In a pivotal update to the Okta security incident divulged in October 2023, Okta Security…