Cyble Research & Intelligence Labs has uncovered details about a new form of malware-as-a-service (MaaS) known as ‘ManticoraLoader’ circulating in underground forums. This MaaS service has been available since August 8, 2024, on various forums and the messaging app Telegram, being offered by the threat group “DeadXInject.”
The same threat group responsible for the development of the “AresLoader” malware, which targeted Citrix users in April 2023, is behind ManticoraLoader. Additionally, the group has ties to the “AiDLocker” ransomware that emerged in late 2022. ManticoraLoader, constructed in the C programming language, has been actively targeting Citrix users with the goal of exfiltrating data.
In terms of technical analysis, ManticoraLoader is designed for the Windows platform, supporting versions from Windows 7 onwards, including Windows Server. This broad compatibility enables the malware to target a wide range of computer systems. The malware contains a module that collects various information from infected devices and sends it back to a centralized control panel. The data gathered includes IP addresses, usernames, system language, installed antivirus software, UUIDs, and date-time stamps. This data allows attackers to profile their victims, plan future attacks, and maintain control over compromised systems.
ManticoraLoader’s modular design allows for additional features to be added upon request, enhancing its adaptability to different malicious purposes. The malware uses advanced obfuscation techniques to evade detection, boasting a low detection rate on security platforms like Kleenscan. It has the capability to establish persistence by placing files in auto-start locations on the system. The MaaS is offered for a monthly rental fee of $500, with exclusivity limited to 10 clients. Transactions for the malware can be conducted through the forum’s escrow service or via messaging platforms like Telegram or TOX.
According to reports, ManticoraLoader’s stealth capabilities were demonstrated in a video showing that the 360 Total Security sandboxing solution failed to detect the malware. Despite the introduction of ManticoraLoader, threat actors are still actively employing AresLoader. DarkBLUP, the group behind AresLoader, rolled out the new MaaS, ManticoraLoader, likely aiming to capitalize on their previous success.
While the group behind ManticoraLoader had been inactive for over a year, the features advertised for ManticoraLoader closely parallel those of AresLoader. However, if the claimed enhancements are accurate, this could pose a significant challenge in detecting stealer and botnet infections similar to those seen with AresLoader.
In conclusion, the emergence of ManticoraLoader adds to the repertoire of malicious tools available to threat actors, underscoring the ongoing need for robust cybersecurity measures to protect against such threats. As cybercriminals continue to innovate and refine their tactics, cybersecurity professionals must remain vigilant and proactive in mitigating the risks posed by malware-as-a-service offerings like ManticoraLoader.