Threat Hunter sheds light on a “sleek and evolving malware toolkit” called the Ragnar Loader used by various cybercrime and ransomware groups, including Ragnar Locker (aka Monstrous Mantis), Fin7, Fin8, and Ruthless Mantis (Ex-Revil).
“Ragnar Loader plays a key role in maintaining access to compromised systems and helping attackers stay on the network for long-term operation,” Swiss Cybersecurity Company Prodaft said in a statement shared with Hacker News.
“It’s linked to the Ragnar Locker Group, but it’s unclear whether they own it or borrow it from others. What we know is that its developers are constantly adding new features, making it more modular and difficult to detect.”
The Ragnar Loader, also known as Sardonic, was first documented by BitDefender in August 2021 in connection with a failed attack by FIN8 aimed at an unnamed financial institution in the US, which is said to be in use since 2020.
Then in July 2023, Symantec, owned by Broadcom, revealed that Fin8 used an updated version of the backdoor to provide the now-deprecated black cat ransomware.
The core function of the Ragnar Loader is its ability to establish long-term scaffolding within the target environment, while also using the arsenal of methods to avoid detection and ensure operational resilience.
“Malware is exploited to run powershell-based payloads, incorporating strong encryption and encoding methods (including RC4 and Base64) to hide operations, and employing sophisticated process injection strategies to stealth control and maintain compromised systems,” Prodaft said.
“These features collectively enhance our ability to avoid detection and sustain within the target environment.”
Malware is provided to affiliates in the form of an archive file package containing multiple components to facilitate reverse shell, local privilege escalation, and remote desktop access. It is also designed to establish communication with threat actors, allowing remote control of infected systems via a command and control (C2) panel.
Typically, running on victim systems using PowerShell, Ragnar Loader integrates anti-analytic techniques to resist detection and obscure control flow logic.
Additionally, it has the ability to perform various backdoor operations by running DLL plugins and shellcode, reading and excludeing the contents of any file. Use a separate PowerShell-based pivot file to enable lateral movement within the network.
Another important component is a Linux executable file named BC, designed to facilitate remote connections. An attacker can directly execute and execute command line instructions on a compromised system.
“It employs advanced observation, encryption and anti-analytic techniques, including PowerShell-based payloads, RC4 and Base64 decryption routines, dynamic process injection, token manipulation, and lateral movement capabilities,” Prodaft said. “These features illustrate the increased complexity and adaptability of modern ransomware ecosystems.”
Source link
