The JPHP loader breaking away from the pack. [Research Saturday]

Dave Buettner

You're listening to the Cyberwire network, powered by N2K. Now a word about our sponsor, the Johns Hopkins University Information Security Institute. The JHU ISI is home to world class interdisciplinary experts dedicated to developing technologies to protect the world's vast online systems and infrastructure and working closely with US Government research agencies and industry partners. The Institute offers dual degree and joint programs in computer science and health informatics and has been designated as a center of Academic Excellence in Cyber research. Learn more at isijhu.edu. hello everyone and welcome to the Cyberwires Research Saturday. I'm Dave Buettner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Sean Cannady

Storing your credentials in your browser is generally a bad idea. It's super convenient, you know, save my password. But this is exactly the type of thing that these dealers are going to grab. And over time they'll have enough information from any given user, both personal and potentially corporate, to then do social engineering tactics and escalate further that attaching.

Dave Buettner

That's Sean Cannady, Global Director of Trustwave Spider Labs. The research we're discussing today is titled Prancis Loader a JPHP Driven Malware.

Sean Cannady

How we stumbled across this loader malware was that our Cyber Threat Intelligence team works with our threat hunters and we were running a threat hunt campaign against the Latrodectus Loader malware. And during that threat hunt campaign our threat intelligence team was monitoring VirusTotal to find any submissions of latrodectus. So oftentimes companies will, or just anyone really will be uploading files to VirusTotal for scans or things like that. And we're looking for Latrodectus. And in doing so we found another loader that was installing Latrodectus. So what you have here is an example of a loader malware known as Pranas installing another loader malware known as Latrodectus.

Dave Buettner

Wow. So give us an overview here of what exactly Pranas Loader is and how it operates.

Sean Cannady

Sure. So Pranas Loader is yet another loader. There are many like them. Loader malwares in general are really designed to connect to a remote location that is that is controlled by a threat actor to download additional malware. So it's really designed to it's really lightweight and it will reach out, pull down additional malware, generally in the form of a zip file or something else. And that payload that it's downloading could be anything from either another loader malware or it could be an info stealer. Anything that the threat actor is running as a campaign.

Dave Buettner

So what prompted you all to classify Prancys Loader as a distinct malware variant?

Sean Cannady

That's a really good question. So it's a distinct malware variant in that we hadn't seen it before. There are many loaders just like this one. This one is unique in its usage of jphp, which is a Java implementation of php. There have been others that have used jphp, it's not common. We've seen where ICE Rat, the Remote Access Trojan was using jphp and so as we were looking at the again we were looking for loaders of latrodectus malware when we found this Pranas loader we also saw another one called DFAC Loader and they both use jphp. Interestingly, the DFAC loader, it's probably part of this same threat actor group of tools. And the reason I say that is because the coding behind it is very similar. And so we saw DFAC Loader, its earliest variant in January of 2024. And as we're looking through different variants with similar infrastructure, code infrastructure, I should say we saw that the Pranzis loader was earlier in November 2023. So NSIS is known as Nullsoft Scriptable Install System. So this is how the threat actors are crafting this binary. The DEFAC loader uses INO setup, so it's just a different type of binary creation system. So there's differences there. The other difference is Pranzis loader doesn't use any SSL certificates. Generally when you see malware they may have certificates to evade detections or to look legitimate. The Prana loader does not have that, whereas a defect loader does have it. So you can see where the threat actor is maybe making their malware a little bit stronger as far as defense evasion goes. And beyond that, there's a password that is used in the DEFAC loader. So when it's unpacking there's a, there's a hard coded password that is used when they're setting it up in the I know setup program, whereas the Pranzis loader does not have a password. So a little bit different and, but, but very similar. So again the code is very similar to each other, but the defect loader is probably a little bit more sophisticated in terms of defense evasion.

Dave Buettner

Where do you suppose process loader stands when it comes to its general obfuscation techniques. When you compare it to some of the other loaders you've seen.

Sean Cannady

This is probably where I'm a little bit cynical as far as obfuscation techniques. I wouldn't say that it's more sophisticated than others really. A lot of these loaders are meant to be very lightweight and so the obfuscation techniques are limited and what you can do there.

Dave Buettner

So in terms of the payloads, I mean you mentioned lactrodectus, are there other payloads that you've seen prancis loader delivering?

Sean Cannady

Yeah, so there's a big campaign that we've seen with Loomis dealer. So we have seen the Latrodectus. Obviously I mentioned that it's another loader malware. But we're also seeing lumastealer and lumasteeler has made its way in the news recently and we have seen major campaigns involving lumastealer and lumastealer. For those not in the know, is an info stealing malware, again with, with these loaders and info stealers. It's, it's, it's part of a bigger operation generally. So we'll see loader malware being used to drop info stealer malware. And that info stealer malware is generally part of malware as a service campaign. So threat actors can take that info stealing malware and get a lot of information from different from users, from their browser credentials, crypto, wallets, you name it. Whatever they're looking to steal at the time, gathering a lot of information and then potentially using that information to do social engineering or logging into companies. One of the big targets would be like SSO credentials, so single sign on credentials, they could leverage that to log into cloud apps and things of that nature, bypassing multifactor authentication. So those are big prime targets for info stealer malware.

Dave Buettner

We'll be right back. And now a word from our sponsor, KnowBe4. It's all connected and we're not talking conspiracy theories. When it comes to infosec tools, effective integrations can make or break your security stack. The same should be true for security awareness training. KnowBe4, provider of the world's largest library of security awareness training, provides a way to integrate your existing security stack tools to help you strengthen your organization's security culture. KnowBefore's security coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike and Cisco. 35 vendor integrations and counting Security Coach analyzes your security stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real time coaching campaigns targeting risky users based on those events from your network, endpoint identity or web security vendors. Then coach your users at the moment the risky behavior occurs, with contextual security tips delivered via Microsoft Teams, Slack or email. Learn more@knowbefore.com SecurityCoach that's knowbe4.com SecurityCoach and we thank KnowBefore for sponsoring our show and now a message from Black Cloak what's the easiest way for threat actors to bypass your company's cyber defenses targeting your executives at home? According to the latest Poneman research study, over 42% of CISOs have reported cyber attacks on their executives in their personal lives and this becomes your problem because executives are easy targets at home for account takeover, credential theft and reputational harm. Close the at home security gap with Black Cloak's Digital Executive Protection Platform Award winning 247365 protection for executives and their families. Learn more at BlackCloakIO Is there anything noteworthy with process loader in terms of how it handles persistence once it's on a machine? Anything unusual or noteworthy there.

Sean Cannady

From a persistence mechanism? Not really. I wouldn't say so. A lot of these loader malwares are designed to reach out, grab whatever they're trying to load, and then just exit. Sometimes there's persistence mechanisms from like an autostar perspective. In some cases though in a lot of cases actually, they'll load additional loader malware such as the Latrodectus malware I mentioned before, and that loader malware will have additional capabilities where it will establish persistence mechanisms. It will do things such as it will run a PowerShell script to exclude the directory it's installed in from scans, things of that nature.

Dave Buettner

So it can be kind of a cascading nature here of one handing off to the next.

Sean Cannady

Exactly. Yep.

Dave Buettner

Yeah. How widespread do you suppose this is? Do you have any sense for how far and wide this is being spread?

Sean Cannady

I would say it's massive. It's hard to put numbers around these things because the loader malwares out there, there's many of them, there's hundreds of them. Really. The ecosystem for them is crazy as far as like the dark markets go. So they're widespread and very cheap to. They're very cheap to deploy from a, from a cost perspective for threat actors. And so there's any number of ways that this loader malware can find its way on your system. Typical ways, you know Phishing, of course, but there's also drive by downloads or you know, sidecar installations where you're looking to download some free software. You may get that free software, but you get a little extra with it. And it would be like the loader malware. And actually we're seeing a lot of installations via using social engineering to distribute the malware that's pretty famous right now. So all over on Facebook you're going to see malvertising and you'll click the link. It could be anything. It could be anything from a job posting. So click here to, to submit your application to this job and that will then bring you in a loader malware and then down the chain. Right, so loader malware comes, it downloads payload profile of Latrodectus or some info stealer. The next thing you know, your credentials are being stolen and sold in the dark market.

Dave Buettner

So what are your recommendations then? I mean, how, how should our organizations best protect themselves here?

Sean Cannady

Well, this is where it gets, you know, I think awareness is key. A lot of times, you know, the ransomware, the ransomware breaches get a lot of media play. And so unfortunately that's the end payload or that's the end game for a lot of this. Right. And so having an understanding of what may come before that or left of boom, as they say, is really important. You know, we're getting into a situation where a lot of times, you know, especially with cloud apps or just remote work from home, you know, we think about protecting our corporate assets from EDR tools which will, which will help. Those definitely help. But what happens when your end users are using their personal assets to then log into your office365 or you know, sharing with the kids at home who are, you know, downloading things. So it gets extremely difficult. So having an awareness of the whole ecosystem of how it all works, from loader malware to info stealers, things like in really like info stealers are a big one. There's a huge market for info logs that info stealers present to threat actors. So things like storing your credentials in your browsers, generally a bad idea. It's super convenient, you know, save my password. But this is exactly the type of thing that these dealers are going to grab. And over time they'll have enough information from any given user, both personal and potentially corporate, to then do social engineering tactics and escalate further that attack chain.

Dave Buettner

Yeah, I mean it's really a story of constant vigilance, I suppose. I mean that's the, that's where we.

Sean Cannady

Find ourselves Right, Yeah, it really is. You know, the threat actors are moving a lot faster now. So with, you know, AI and things of that nature, social engineering is faster, quicker, more efficient. So staying vigilant, one step ahead, continual security awareness. Even though we know that, you know, it's easy to dupe people into clicking the link or downloading the attachment. But I think from a corporation standpoint, or for any given company, just having an understanding of the whole picture, the whole economy of malware as a service, how it all works, and how you end up with potentially ransomware, which is what is on top of mind for most companies, is I don't want to get the ransomware. How do we protect against ransomware? But if we can move, you know, further left in the kill chain and looking at info stealers and remote access trojans and these things, that will help mitigate most of your ransomware attacks. Because the ransomware doesn't just end up on the system. Yeah.

Dave Buettner

It has to come from somewhere.

Sean Cannady

Exactly. And so there's a whole chain and a lot of times it could be even multiple threat actors. Right. So you'll have threat actors who are designing these loader malwares and then other threat actors that are renting that service to run their campaign, which may be info stealing malware. Right. And so then that information from the info stealing malware is then sold to other threat actors who may use that information to then log into company environment and deploy their ransomware or other malware.

Dave Buettner

It's interesting to me, I mean, as you look at this as a part of the larger ecosystem and you're looking forward at trends like where are we headed? You know, what does this tell us about the broader overall trends of things? Who's selling what and who's buying what, and how are they coming after people? Do you have any insights there of like, you know, where you think. Does this inform where we think we may be headed.

Sean Cannady

In terms of just the who and what, of who's behind it?

Dave Buettner

Well, the activity that you all are tracking, and this is a piece of the puzzle, you know, and sometimes you see that certain techniques are on the rise or certain things are on decline and that as you say, you know, these threat actors, they're moving at a faster velocity and they're constantly chang. Is this the shape of things to come? This, you know, as we talked about, these cascading use of loaders, is this here to stay and what are your insights there?

Sean Cannady

Yeah, I think loader, I mean, loaders have been around forever and so have infos dealers and they're not going to go away. I think the speed at which they are being distributed is increasing exponentially, I would say, for two reasons. One, social engineering is getting easier for threat actors given AI. Like that's really helping social media because a lot of this malware is distributed via social media. And we are seeing that trending lately, which is really interesting because until, until we start looking at how the social media platforms are protecting consumers of that platform, I think that'll continually grow and escalate. We certainly. The World Wide web of things is growing crazy, right? So there's just a lot of junk on the Internet these days. The Internet's broken. But with social media platforms, all of them, they're being used by the threat actors. And it's almost. It's a little scary to think about in that the companies behind those platforms aren't able to keep up with it. I don't think we're seeing a lot of infection chains within those platforms. So we recently did a blog on the Overstealer malware. It's another infos dealer that was being spread through Facebook and it's designed just like any other info stealer where it's taking cash credentials, it's looking at crypto wallets, things of that nature, but it's also looking for Facebook account credentials, business account credentials. So what it does then is it will steal your Facebook business account credentials and then use any advertising dollars you have in that business account to then further spread more of its of itself. Right? Spread more malware.

Dave Buettner

Our thanks to Sean Cannady from Trustwave Spider Labs for joining us. The research is titled Francis Loder, a JPHP Driven Malware. We'll have a link in the show notes and that's Research Saturday, brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwiren2k.com we're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector. From the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies, N2K makes it easy for companies to optimize your biggest investment your people. We make you smarter about your teams while making your teams smarter. Learn how@n2k.com this episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Iban. Our executive editor is Brandon Karp. Simone Petrella is our president. Peter Kilpie is our publisher and I'm Dave Buettner. Thanks for listening. We'll see you back here. Next hey everybody, Dave here. I want to talk about our sponsor, LegalZoom. You know, I started my first business back in the early 90s and oh what I would have done to have been able to have the services of an organization like LegalZoom back then. Just getting all of those business ducks in a row, all of that technical stuff, the legal stuff, the registrations of the business, the taxes, all of those things that you need to go through when you're starting a business. The hard stuff, the stuff that sucks up your time when you just want to get that business launched and out there. Well, LegalZoom has everything you need to launch, run and protect your business all in one place and they save you from wasting hours making sense of all that legal stuff. Launch, run and protect your business. To make it Official today@legalzoom.com you can use promo code CYBERTEN to get 10% off any LegalZoom business information product, excluding subscriptions and renewals that expires at the end of this year. Get everything you need from setup to success@legalzoom.com and use promo code CYBERTEN. That's legalzoom.com and promo code CYBER10. Legalzoom provides access to independent attorneys and self service tools. Legalzoom is not a law firm and does not provide legal advice except where authorized through its subsidiary law firm LZ Legal Services llc.