CyberWire Daily – Research Saturday

Episode Title: The JPHP Loader Breaking Away from the Pack
Host: Dave Buettner, N2K Networks
Release Date: December 7, 2024

Introduction

In this episode of CyberWire Daily’s Research Saturday, host Dave Buettner engages in an insightful conversation with Sean Cannady, the Global Director at Trustwave Spider Labs. The discussion centers around the newly identified Pranas Loader, a JPHP-driven malware that is distinguishing itself within the cybersecurity threat landscape.

Overview of Pranas Loader Malware

[03:07] Dave Buettner initiates the discussion by seeking an overview of the Pranas Loader:

"Wow. So give us an overview here of what exactly Pranas Loader is and how it operates."

[03:15] Sean Cannady responds:

"Pranas Loader is yet another loader. There are many like them. Loader malwares in general are really designed to connect to a remote location that is controlled by a threat actor to download additional malware. So it's really designed to it's really lightweight and it will reach out, pull down additional malware, generally in the form of a zip file or something else. And that payload that it's downloading could be anything from either another loader malware or it could be an info stealer. Anything that the threat actor is running as a campaign." [03:15]

Pranas Loader functions as an intermediary, establishing a connection with malicious command-and-control (C2) servers to retrieve further malicious payloads, which can range from additional loaders to information-stealing malware.

Technical Analysis: Uniqueness and Operations

[04:05] Dave Buettner probes into what sets Pranas Loader apart:

"So what prompted you all to classify Prancys Loader as a distinct malware variant?"

[04:12] Sean Cannady elaborates:

"That's a really good question. So it's a distinct malware variant in that we hadn't seen it before. There are many loaders just like this one. This one is unique in its usage of jphp, which is a Java implementation of php. There have been others that have used jphp, it's not common. We've seen where ICE Rat, the Remote Access Trojan was using jphp and so as we were looking at the again we were looking for loaders of latrodectus malware when we found this Pranas loader we also saw another one called DFAC Loader and they both use jphp. Interestingly, the DFAC loader, it's probably part of this same threat actor group of tools. And the reason I say that is because the coding behind it is very similar. And so we saw DFAC Loader, its earliest variant in January of 2024. And as we're looking through different variants with similar infrastructure, code infrastructure, I should say we saw that the Pranzis loader was earlier in November 2023. So NSIS is known as Nullsoft Scriptable Install System. So this is how the threat actors are crafting this binary. The DEFAC loader uses INO setup, so it's just a different type of binary creation system. So there's differences there. The other difference is Pranzis loader doesn't use any SSL certificates. Generally when you see malware they may have certificates to evade detections or to look legitimate. The Pranas loader does not have that, whereas a defect loader does have it. So you can see where the threat actor is maybe making their malware a little bit stronger as far as defense evasion goes. And beyond that, there's a password that is used in the DEFAC loader. So when it's unpacking there's a, there's a hard coded password that is used when they're setting it up in the I know setup program, whereas the Pranzis loader does not have a password. So a little bit different and, but, but very similar. So again the code is very similar to each other, but the defect loader is probably a little bit more sophisticated in terms of defense evasion." [04:12]

Key Points:

• JPHP Utilization: Pranas Loader uniquely leverages JPHP (Java implementation of PHP), a rare choice among loader malwares.
• Similarity to DFAC Loader: Shares coding similarities with DFAC Loader, suggesting a common threat actor origin.
• Binary Creation Differences: While Pranas Loader uses NSIS (Nullsoft Scriptable Install System) for crafting binaries without SSL certificates, DFAC Loader employs INO setup with added security features like SSL certificates and hard-coded passwords.
• Defense Evasion: DFAC Loader demonstrates more advanced defense evasion techniques compared to Pranas Loader.

Payloads Delivered by Pranas Loader

[07:30] Dave Buettner inquires about the types of payloads delivered:

"So in terms of the payloads, I mean you mentioned lactrodectus, are there other payloads that you've seen prancis loader delivering?"

[07:40] Sean Cannady responds:

"Yeah, so there's a big campaign that we've seen with Loomis dealer. So we have seen the Latrodectus. Obviously I mentioned that it's another loader malware. But we're also seeing lumastealer and lumasteeler has made its way in the news recently and we have seen major campaigns involving lumastealer and lumasteeler. For those not in the know, is an info stealing malware, again with, with these loaders and info stealers. It's, it's, it's part of a bigger operation generally. So we'll see loader malware being used to drop info stealer malware. And that info stealer malware is generally part of malware as a service campaign. So threat actors can take that info stealing malware and get a lot of information from different from users, from their browser credentials, crypto, wallets, you name it. Whatever they're looking to steal at the time, gathering a lot of information and then potentially using that information to do social engineering or logging into companies. One of the big targets would be like SSO credentials, so single sign on credentials, they could leverage that to log into cloud apps and things of that nature, bypassing multifactor authentication. So those are big prime targets for info stealer malware." [07:40]

Key Points:

• Latrodectus Loader: Pranas Loader has been observed installing the Latrodectus loader malware.
• Lumastealer Integration: Delivers Lumastealer, an information-stealing malware known for extracting browser credentials, cryptocurrency wallets, and Single Sign-On (SSO) credentials.
• Malware-as-a-Service: These payloads are part of broader Malware-as-a-Service (MaaS) campaigns, enabling threat actors to monetize stolen data and facilitate further attacks, such as bypassing multi-factor authentication through compromised SSO credentials.

Persistence Mechanisms

[11:58] Dave Buettner shifts focus to persistence strategies:

"Is there anything noteworthy with process loader in terms of how it handles persistence once it's on a machine? Anything unusual or noteworthy there."

[11:58] Sean Cannady replies:

"From a persistence mechanism? Not really. I wouldn't say so. A lot of these loader malwares are designed to reach out, grab whatever they're trying to load, and then just exit. Sometimes there's persistence mechanisms from like an autostar perspective. In some cases though in a lot of cases actually, they'll load additional loader malware such as the Latrodectus malware I mentioned before, and that loader malware will have additional capabilities where it will establish persistence mechanisms. It will do things such as it will run a PowerShell script to exclude the directory it's installed in from scans, things of that nature." [11:58]

[12:48] Dave Buettner adds:

"So it can be kind of a cascading nature here of one handing off to the next." [12:48]

[12:55] Sean Cannady confirms:

"Exactly. Yep." [12:55]

Summary:

• Pranas Loader’s Role: Primarily serves to download and execute other malware, then terminates without establishing its own persistence.
• Cascading Loaders: Subsequent loaders like Latrodectus handle persistence by implementing mechanisms such as running PowerShell scripts to evade detection and maintain a foothold on the infected system.

Distribution and Spread

[13:06] Dave Buettner asks about the prevalence:

"How widespread do you suppose this is? Do you have any sense for how far and wide this is being spread?" [13:06]

[13:06] Sean Cannady responds:

"I would say it's massive. It's hard to put numbers around these things because the loader malwares out there, there's many of them, there's hundreds of them. Really. The ecosystem for them is crazy as far as like the dark markets go. So they're widespread and very cheap to. They're very cheap to deploy from a, from a cost perspective for threat actors. And so there's any number of ways that this loader malware can find its way on your system. Typical ways, you know Phishing, of course, but there's also drive by downloads or you know, sidecar installations where you're looking to download some free software. You may get that free software, but you get a little extra with it. And it would be like the loader malware. And actually we're seeing a lot of installations via using social engineering to distribute the malware that's pretty famous right now. So all over on Facebook you're going to see malvertising and you'll click the link. It could be anything. It could be anything from a job posting. So click here to, to submit your application to this job and that will then bring you in a loader malware and then down the chain. Right, so loader malware comes, it downloads payload profile of Latrodectus or some info stealer. The next thing you know, your credentials are being stolen and sold in the dark market." [13:06]

Key Points:

• Widespread Distribution: Loader malwares like Pranas are extensively distributed due to their low cost and availability in dark markets.
• Distribution Vectors: Common methods include phishing emails, drive-by downloads, sidecar installations bundled with legitimate software, and malvertising on platforms like Facebook.
• Social Engineering Tactics: Employ deceptive tactics such as fake job postings to trick users into downloading malware-infected applications.
• Cascade Effect: Initial loader installs subsequently download additional malicious payloads, leading to credential theft and data commoditization on dark markets.

Recommendations for Protection

[14:45] Dave Buettner seeks expert advice on mitigation:

"So what are your recommendations then? I mean, how, how should our organizations best protect themselves here?" [14:45]

[14:52] Sean Cannady offers strategies:

"Well, this is where it gets, you know, I think awareness is key. A lot of times, you know, the ransomware, the ransomware breaches get a lot of media play. And so unfortunately that's the end payload or that's the end game for a lot of this. Right. And so having an understanding of what may come before that or left of boom, as they say, is really important. You know, we're getting into a situation where a lot of times, you know, especially with cloud apps or just remote work from home, you know, we think about protecting our corporate assets from EDR tools which will, which will help. Those definitely help. But what happens when your end users are using their personal assets to then log into your office365 or you know, sharing with the kids at home who are, you know, downloading things. So it gets extremely difficult. So having an awareness of the whole ecosystem of how it all works, from loader malware to info stealers, things like in really like info stealers are a big one. There's a huge market for info logs that info stealers present to threat actors. So things like storing your credentials in your browsers, generally a bad idea. It's super convenient, you know, save my password. But this is exactly the type of thing that these dealers are going to grab. And over time they'll have enough information from any given user, both personal and potentially corporate, to then do social engineering tactics and escalate further that attack chain." [14:52]

Further Insights:

• Awareness and Education: Emphasizes the critical role of security awareness training to educate users about the risks of saving credentials in browsers and recognizing phishing attempts.
• Holistic Security Approach: Advocates for understanding the entire malware ecosystem, from initial loaders to info stealers, to preemptively disrupt the attack chain.
• Endpoint Detection and Response (EDR): While EDR tools are beneficial, they must be complemented with user education, especially in environments with remote work and personal device usage.
• Mitigating Info Stealers: Protecting against information-stealing malware can significantly reduce the effectiveness of subsequent social engineering and ransomware attacks.

Broader Trends and Future Outlook

[19:05] Dave Buettner explores future implications:

"As you look at this as a part of the larger ecosystem and you're looking forward at trends like where are we headed? You know, what does this tell us about the broader overall trends of things? Who's selling what and who's buying what, and how are they coming after people? Do you have any insights there of like, you know, where you think. Does this inform where we think we may be headed." [19:05]

[19:11] Sean Cannady shares his perspective:

"Yeah, I think loader, I mean, loaders have been around forever and so have infos dealers and they're not going to go away. I think the speed at which they are being distributed is increasing exponentially, I would say, for two reasons. One, social engineering is getting easier for threat actors given AI. Like that's really helping social media because a lot of this malware is distributed via social media. And we are seeing that trending lately, which is really interesting because until, until we start looking at how the social media platforms are protecting consumers of that platform, I think that'll continually grow and escalate. We certainly. The World Wide web of things is growing crazy, right? So there's just a lot of junk on the Internet these days. The Internet's broken. But with social media platforms, all of them, they're being used by the threat actors. And it's almost. It's a little scary to think about in that the companies behind those platforms aren't able to keep up with it. I don't think we're seeing a lot of infection chains within those platforms. So we recently did a blog on the Overstealer malware. It's another infos dealer that was being spread through Facebook and it's designed just like any other info stealer where it's taking cash credentials, it's looking at crypto wallets, things of that nature, but it's also looking for Facebook account credentials, business account credentials. So what it does then is it will steal your Facebook business account credentials and then use any advertising dollars you have in that business account to then further spread more of its of itself. Right? Spread more malware." [19:11]

Key Points:

• Persistence of Loaders and Info Stealers: Both remain foundational components in the malware ecosystem with no signs of obsolescence.
• Exponential Distribution Growth: Enhanced by the advent of Artificial Intelligence (AI), making social engineering more effective and scalable.
• Social Media Exploitation: Platforms like Facebook are increasingly targeted for malware distribution due to their vast user bases and relative vulnerabilities.
• Infection Chains within Social Platforms: Malwares like Overstealer exploit business account credentials to hijack advertising budgets for further malware dissemination.
• Proliferation Challenges: The rapid expansion of the Internet of Things (IoT) and fragmented online spaces create fertile ground for threat actors to exploit.

Conclusion

[21:58] As the conversation draws to a close, Dave Buettner summarizes the discussion:

"Our thanks to Sean Cannady from Trustwave Spider Labs for joining us. The research is titled Francis Loder, a JPHP Driven Malware. We'll have a link in the show notes and that's Research Saturday, brought to you by N2K CyberWire..." [21:58]

The episode underscores the evolving sophistication of loader malwares like Pranas Loader, their integration with information-stealing tools, and the expanding methods of distribution, particularly through social media platforms. The insights provided by Sean Cannady highlight the necessity for comprehensive security strategies that combine technical defenses with robust user education to effectively combat these persistent threats.

Notable Quotes

• On Browser Credential Risks:

  Sean Cannady: "Storing your credentials in your browser is generally a bad idea. It's super convenient, you know, save my password. But this is exactly the type of thing that these dealers are going to grab." [01:27]

• On Pranas Loader’s Discovery:

  Sean Cannady: "How we stumbled across this loader malware was that our Cyber Threat Intelligence team works with our threat hunters and we were running a threat hunt campaign against the Latrodectus Loader malware..." [02:12]

• On Malware-as-a-Service Campaigns:

  Sean Cannady: "Those are big prime targets for info stealer malware." [07:40]

• On Exponential Growth of Malware Distribution:

  Sean Cannady: "Social engineering is getting easier for threat actors given AI... they’re moving a lot faster now." [19:40]

Recommendations for Further Reading

For a deeper dive into the Pranas Loader and related research, visit the CyberWire Daily website or refer to the show notes linked in the podcast.

Stay Informed, Stay Secure

Understanding the intricate mechanisms of modern malware is crucial in developing effective defense strategies. Episodes like this provide valuable insights that help cybersecurity professionals stay ahead in the ever-evolving digital threat landscape.