ManticoraLoader, a new malware-as-a-service (MaaS), has been making waves in the cybercriminal underworld. The malicious software was first spotted on the XSS forum, distributed under the alias ‘DarkBLUP,’ previously known for disseminating malware like AresLoader and AiDLocker ransomware from the DeadXInject group. This new variant, ManticoraLoader, has been actively promoted on DeadXInject’s Telegram channel since August 8, 2024.
The capabilities of ManticoraLoader are nothing short of impressive, as revealed by researchers from CRIL (Cyble Research and Intelligence Labs). This malware is designed to be compatible with Windows 7 and later versions, including Windows Server, allowing it to target a wide range of systems that are still in use today.
One of the standout features of ManticoraLoader is its ability to gather detailed information from infected devices, such as IP address, username, system language, installed antivirus software, UUID, and date-time stamps. This data is then sent back to a centralized control panel, enabling threat actors to create profiles of victims and customize their attacks accordingly.
The modular design of ManticoraLoader also allows for the easy addition of functionalities, making it adaptable to different malicious objectives. To evade detection, the malware employs sophisticated obfuscation techniques, resulting in a low detection rate of 0/39 on Kleenscan. In a demonstration of its evasive abilities, the actors showcased the loader’s capability to bypass the 360 Total Security sandboxing solution.
Moreover, ManticoraLoader is designed with persistence in mind, capable of placing files in auto-start locations to ensure its continuous presence on compromised systems. The strict transaction process implemented by the threat actors limits the number of clients to 10 and offers the service through the forum’s escrow service or direct contact via Telegram or TOX. This exclusivity strategy aims to maintain control and minimize exposure.
For a monthly rental fee of $500, cybercriminals can access the MaaS service, indicating the threat actors’ intent to monetize their creation on an ongoing basis. This pricing model suggests that ManticoraLoader is not just a one-time tool but a well-thought-out MaaS designed to generate a consistent stream of revenue for the cybercriminals behind it.
While ManticoraLoader has been grabbing attention, the researchers are puzzled by the prolonged inactivity of DarkBLUP, considering the success of their previous projects like AresLoader and AiDLocker ransomware. AresLoader, in particular, remains widely used among cybercriminals, leading researchers to believe that the group is expanding their arsenal to diversify their offerings and increase their monetization opportunities.
In conclusion, ManticoraLoader is a sophisticated malware variant that demonstrates the evolving landscape of cyber threats. With its advanced features, evasion tactics, and monetization strategy, this MaaS is a stark reminder of the constant vigilance required in today’s digital world to combat cybercrime effectively.