A cybercriminal going by the pseudonym “Yattaze” has been offering a beta version of a new malware product called the Kardon Loader malware for sale on the dark web since April.
Kardon Loader is essentially a malware downloader and is currently still under development. Malware downloaders or droppers are generally employed by hackers during the first stage of the campaign. The role of malware droppers usually involves infecting and gaining access to a targeted system and reporting back to the C2 server.
“Downloaders are a critical part of the malware ecosystem, often developed by specialists and sold independently of the trojan that is the objective of the campaign. Although only in public beta stage this malware features bot store functionality allowing purchasers to open up their own ￼botshop￼ with this platform,” Arbor researchers wrote in a blog.
According to security researchers at Arbor, the malware may be a rebranded version of the ZeroCool botnet which was also developed by “Yattaze”.
"The author abandoned the [ZeroCool] project and used the code from it to create Kardon Loader," TJ Nelson, Security Research Analyst for Arbor, told Bleeping Computer. "It was under development for over a year, and it was basically his first attempt at building a bot, so he decided not to release it and work on this one."
According to Arbor researchers, Kardon Loader is a “fully featured downloader” and comes packed with a variety of features such as bot functionality, the ability to download and execute tasks and commands, the ability to update and uninstall tasks and more.
"This is very new malware, and the author is active and responsive on their advertisement threads, which means the commitments they have made to add encryption and rootkit functionality have a higher likelihood of coming true in the future," Nelson said.
A prequel of what’s to come
Kardon Loader has been advertised as a standalone build that allows its users to create a botshop, which in turn, would allow them to establish their own operation and sell access to other cybercriminals.
"Kardon is a lot smaller of an operation than some of the well-known loaders out there like Smoke and Quant," Nelson told Bleeping Computer. "However, where its predecessors started adding mining and credential stealing features, Kardon Loader has limited those 'extras' and added control panel features [so buyers can] start their own botshop."