Loader
AresLoader
AresLoader is a new malware "downloader" that has been advertised on some Russian language Dark Web forums “RAMP and "XSS" by a threat actor called "DarkBLUP".
AresLoader is a Windows loader.
Background
AresLoader is a recently emerged malware "downloader" promoted on Russian-language Dark Web forums such as “RAMP and "XSS" by a threat actor going by "DarkBLUP". Researchers believe the loader was probably a genuine penetration-testing tool that threat actors have repurposed, since a comparable project called “Project Ares” had earlier been published on GitHub as a proof-of-concept (PoC) by the respected user and red teamer “CerberSec.”
The loader poses as legitimate software to lure victims into running malware with administrator privileges. Its other characteristics include:
- Written in C/C++
- Support for 64-bit payloads
- Making the malware appear to have been launched by another process
- Blocking the injection of non-Microsoft-signed binaries into the malware
- Concealing suspicious imported Windows APIs
- Using anti-analysis techniques to hinder reverse engineering
Additionally, SystemBC, Amadey, and several Raccoon Stealers were seen directly installing AresLoader. So far, the AresLoader downloader has been observed dropping payloads such as SystemBC, Lumma Stealer, StealC, Aurora Stealer, and Laplas Clipper.
Source: Malpedia (Fraunhofer FKIE).