Researchers have discovered a new variant of the AresLoader that is used to distribute several malware families, including IcedID, Aurora Stealer, and Laplas Clipper. It is specifically targeting Citrix users, under the guise of a Citrix project.
Knowing AresLoader
AresLoader, a 32-bit loader malware written and compiled in C programming language, was first observed in various cybercrime forums and Telegram channels in 2022.
- It is developed by the same threat actors responsible for the AiD Locker ransomware.
- The multi-stage loader malware is being offered on a monthly subscription model.
Citrix users under attack
Researchers at Cyble have observed an active use of AresLoader MaaS to spread a plethora of malware via GitHub.
- A GitHub repository, masquerading as a Citrix project (hxxps[:]//gitlab[.]com/citrixchat-project/citrixproject/), is being used to distribute a malicious file labeled AG.exe. This executable is identified as the AresLoader.
- When executed, it loads IcedID and LummaStealer onto the infected machines.
Operational details
AresLoader uses different code extraction and injection tactics for the distribution of different malware.
- The initial payload comprises embedded code that is subsequently injected into further stages.
- It has been used to deliver several malware, including IcedID, Aurora Stealer, NetSupport RAT, SystemBC RAT, StealC, and Laplas Clipper.
- To avoid detection, the malware initiates the attack sequence with the launch of a genuine file, before starting with the deployment of malicious payloads.
- Moreover, the malware developer offers a builder (for the creation of loader executable) and several web panels to launch and manage campaigns.
The bottom line
AresLoader has been observed distributing several types of malware using different code extraction and injection techniques, indicating that it has become quite popular among multiple threat groups. To stay safe, experts recommend creating multiple lines of defense, including implementing genuine anti-virus software, firewalls, and an anti-phishing solution.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/iStock_000082450405_Medium.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_483273430.jpg)
