Tuesday, November 12, 2024
HomeCyber Security NewsBunnyLoader 3.0 Detected With Advanced Keylogging Capabilities

BunnyLoader 3.0 Detected With Advanced Keylogging Capabilities

Published on

Malware protection

BunnyLoader is a rapidly developing malware that can steal information, credentials, and cryptocurrencies while also delivering new malware to its victims.

Since its first detection in September 2023, the BunnyLoader malware as a service (MaaS) has regularly enhanced its features. 

According to Palo Alto Networks, the consistent improvements of tactics, techniques, and procedures (TTPs) such as infrastructure, packers, encryption, and exfiltration methods aid in the attacker’s ability to avoid detection. 

- Advertisement - SIEM as a Service

It also aims to impede cybersecurity researchers’ capacity to identify and evaluate the actions of threat actors. 

The threat actor responsible for BunnyLoader declared the release of BunnyLoader 3.0 on February 11, 2024, claiming that the malware has been “completely redesigned and enhanced by 90%.”

The threat actor asserts that BunnyLoader payloads have been improved to include:

  • Payloads/modules “completely rewritten for improved performance”
  • Reduced payload size
  • Advanced keylogging capabilities

Evolution Of BunnyLoader

BunnyLoader has developed at a quick pace. Version 1.0, marketed as a C/C++ loader malware and MaaS botnet on the dark web. 

The “Player” or “Player_Bunny” threat actor is the one responsible for this malware. The malware’s creator prohibits deploying it on Russian systems.

By September 2023’s end, BunnyLoader had a rapid retooling. BunnyLoader 2.0 was released by the author and seen in the wild by the end of September.

A “private” version of the malware was made available by the creator in October for $350. In contrast to the initial release, the creator concealed this private version and released frequent updates to circumvent antivirus protections

Specifics Of BunnyLoader 3.0

Senior threat intelligence researcher @RussianPanda9xx publicly shared the release of BunnyLoader 3.0 on X (Twitter).

BunnyLoader 3.0, the most recent version, employs a distinct directory structure on its C2 servers.

The actual malicious payload in BunnyLoader 3.0 is delivered by the threat actor using a dropper that is incorporated with the BunnyLoader malware and is sent via a CMD file.

X (formerly known as Twitter) post by threat intelligence researcher @RussianPanda

When downloading the BunnyLoader 3.0 modules, researchers discovered the following URL structure.

BunnyLoader 3.0 module URLs

Advanced KeyLogging Capabilities

“The BunnyLoader 3.0 keylogger records all keystrokes, saving them to log files in the %localappdata%\Temp folder.

Palo Alto Networks researchers shared with Cyber Security News that the keylogger also attempts to identify when the victim authenticates to sensitive applications or services.

BunnyLoader keylogger log file locations

Additionally, the BunnyLoader 3.0 stealer module operates independently, exfiltrated data directly into the C2 server, and stole passwords.

Using a particular communication routine, the BunnyLoader 3.0 clipper module occasionally checks in with the C2.

By providing the target with the name of a cryptocurrency wallet and the associated wallet address that the threat actor controls, the C2 triggers the clipper.

The BunnyLoader 3.0 DoS module uses a particular communication procedure to wait for commands from the C2.

The module can be instructed by the C2 to launch an HTTP flood attack using the GET or POST protocol against a given URL.

Hence, by revealing these changing strategies and the dynamic nature of the threat, users must be better equipped to strengthen their defenses and safeguard their assets.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting...