Hackers Use New .NET Loader Malware to Deliver Wide Range of Payloads

An unrecorded .NET Loader was identified during routine threat hunting that downloads, decrypts, and executes a wide range of malicious payloads. 

Multiple threat actors extensively distributed this new loader in early June 2023 through the following mediums:-

• Malicious phishing emails
• Deceptive YouTube videos
• Fake web pages mimicking legitimate websites

The cybersecurity researchers at Sekoia identified this new .NET loader and named this newly discovered loader malware “CustomerLoader.”

Security analysts appointed this name due to its Command and Control (C2) communications containing the term “customer” and its loading functionalities.

.NET Loader to Deliver Payloads

CustomerLoader exclusively retrieves dotRunpeX samples, which in turn deliver a diverse range of malware families like:-

• Infostealers
• Remote Access Trojans (RAT)
• Commodity ransomware

In March 2023, the security experts at Checkpoint publicly documented dotRunpeX as a .NET injector that is equipped with multiple anti-analysis techniques.

The association between CustomerLoader and an undisclosed Loader-as-a-Service is highly probable.

The dotRunpeX developer may have added CustomerLoader as a stage before the injector is executed.

CustomerLoader samples employ multiple code obfuscation techniques, disguising themselves as legitimate apps. This slows down and extends the analysis, likely due to easy-to-use .NET code obfuscation tools. 

However, there are numerous such tools that are accessible via NotPrab/.NET-Obfuscator GitHub repository, even for non-experts as well.

CustomerLoader uses AES in ECB mode for string obfuscation, with the decryption key stored in plaintext within the PE.

CustomerLoader evades detection by patching the AmsiScanBuffer function in amsi.dll, returning AMSI_RESULT_CLEAN to bypass antivirus. This marks the buffer as clean and permits the safe execution of malicious payloads.

The loader executes the customer payload following this process:-

• From an embedded URL, an HTML page is downloaded by the CustomerLoader.
• An encoded base64 string is extracted using regex: “/!!!(.*?)!!!/”
• Then the base64 string is decoded and decrypted by it.
• Then the payload is executed in memory using the reflective code technique.

The method of code reflection is obfuscated by shuffling, enabling the loading of .NET functions using the following function:-

• NewLateBinding.LateGet

The encrypted payloads are retrieved by the CustomerLoader samples from their C2 server, with each payload linked to a unique customer ID that is hosted at:- 

• hxxp://$C2/customer/$ID

The CustomerLoader samples were directly connected to C2 server IP 5.42.94[.]169 via HTTP between  31 May and 20 June 2023. While the C2 server switched to the domain kyliansuperm92139124[.]sbs and HTTPS, protected by Cloudflare on 20 June 2023.

The domain acts as a proxy, while the backend server remains 5.42.94[.]169. This C2 server changes likely aims to evade network detections and hinder security researchers’ analysis, according to Sekoia.io analysts.

Malware Families Distributed

Here below we have mentioned all the malware families that are distributed by CustomerLoader:-

• Redline
• Formbook
• Vidar
• Stealc
• Raccoon
• Lumma
• StormKitty
• AgentTesla
• DarkCloud
• Kraken Keylogger
• AsyncRAT
• Quasar
• Remcos
• XWorm
• njRAT
• WarzoneRAT
• BitRAT
• NanoCore
• SectopRAT
• LgoogLoader
• Amadey
• Variant of WannaCry
• TZW ransomware

CustomerLoader distributes the following malware families, each associated with a distinct number of unique botnets:-

• Redline: over 80 botnets
• Quasar: 45 botnets
• Vidar: 9 botnets
• Remcos: 6 botnets
• Stealc: 4 botnets
• Formbook: 4 botnets

CustomerLoader, when combined with the dotRunpeX injector, enhances compromise rates by reducing the detection of the final payload, despite lacking advanced techniques.

IoCs

• hxxp://smartmaster.com[.]my/48E003A01/48E003A01.7z: Payload delivery URL
• d40af29bbc4ff1ea1827871711e5bfa3470d59723dd8ea29d2b19f5239e509e9: Archive
• 3fb66e93d12abd992e94244ac7464474d0ff9156811a76a29a76dec0aa910f82: CustomerLoader payload
• hxxp://5.42.94[.]169/customer/735: CustomerLoader’s C2 URL
• hxxps://telegra[.]ph/Full-Version-06-03-2: Malicious redirection webpage
• hxxps://tinyurl[.]com/bdz2uchr: Shortened URL redirecting to the payload delivery URL
• hxxps://www.mediafire[.]com/file/nnamjnckj7h80xz/v2.4_2023.rar/file: Payload delivery URLs
• hxxps://www.mediafire[.]com/file/lgoql94feiic0x7/v2.5_2023.rar/file: Payload delivery URLs
• 65e3b326ace2ec3121f17da6f94291fdaf13fa3900dc8d997fbbf05365dd518f: Archive
• 7ff5a77d6f6b5f1801277d941047757fa6fec7070d7d4a8813173476e9965ffc: Archive
• c05c7ec4570bfc44e87f6e6efc83643b47a378bb088c53da4c5ecf7b93194dc6: CustomerLoader payload
• hxxp://5.42.94[.]169/customer/770: CustomerLoader’s C2 URL
• 45.9.74[.]99: Raccoon stealer’s C2
• 5.42.65[.]69: Raccoon stealer’s C2
• hxxps://slackmessenger[.]site/: Malicious webpage impersonating Slack website
• hxxps://slackmessenger[.]pw/slack.zip: Payload delivery
• 695f138dd517ded4dd6fcd57761902a5bcc9dd1da53482e94d70ceb720092ae6: Archive
• b8f5519f7d66e7940e92f49c9f5f0cac0ae12cc9c9072c5308475bd5d093cdca: CustomerLoader payload
• hxxp://5.42.94[.]169/customer/798: CustomerLoader’s C2 URL
• missunno[.]com:80: Redline stealer’s C2