AresLoader (Malware Family)

AresLoader

VTCollection

AresLoader is a new malware "downloader" that has been advertised on some Russian language Dark Web forums “RAMP and "XSS" by a threat actor called "DarkBLUP". Researchers assess this loader is likely a legitimate penetration testing tool that is now being abused by threat actors. This is because of a similar project, dubbed “Project Ares,” was previously uploaded to GitHub as a proof-of-concept (PoC) by the well-regarded user and red teamer “CerberSec.”

The loader mimics legitimate software to trick victims into executing malware with administrator rights on their machines. Additional features of the loader include:

1. Written in C/C++
2. Supports 64-bit payloads
3. Makes it look like malware spawned by another process
4. Prevents non-Microsoft signed binaries from being injected into malware
5. Hides suspicious imported Windows APIs
6. Leverages anti-analysis techniques to avoid reverse engineering

Furthermore, It was observed that SystemBC, Amadey, and several Raccoon Stealers were directly installing AresLoader. To date, the AresLoader downloader has been seen delivering payloads like SystemBC, Lumma Stealer, StealC, Aurora Stealer, and Laplas Clipper.

References

2023-04-02 ⋅ OALabs ⋅ Sergei Frankoff
AresLoader Taking a closer look at this new loader
AresLoader

2023-03-22 ⋅ Intel 471 ⋅ Roberto Martinez, Taisiia Garkava
New loader on the bloc - AresLoader
AresLoader

2023-03-18 ⋅ Twitter (@k3dg3) ⋅ Kelsey Merriman
Tweet on TA579 distributing AresLoader via WeTransfer URLs
AresLoader

2023-03-06 ⋅ Flashpoint ⋅ Flashpoint
Private Malware for Sale: A Closer Look at AresLoader
AresLoader

2022-12-28 ⋅ ZeroFox ⋅ DARK OPS
The Underground Economist: Volume 2, Issue 24
AresLoader

Yara Rules

[TLP:WHITE] win_aresloader_auto (20230808 | Detects win.aresloader.)

rule win_aresloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.aresloader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.aresloader"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 85db 7435 85f6 7431 }
            // n = 4, score = 400
            //   85db                 | test                ebx, ebx
            //   7435                 | je                  0x37
            //   85f6                 | test                esi, esi
            //   7431                 | je                  0x33

        $sequence_1 = { c744241410000000 c744241000000000 c744240c00000000 c744240800000000 c744240400000000 }
            // n = 5, score = 400
            //   c744241410000000     | mov                 dword ptr [esp + 0x14], 0x10
            //   c744241000000000     | mov                 dword ptr [esp + 0x10], 0
            //   c744240c00000000     | mov                 dword ptr [esp + 0xc], 0
            //   c744240800000000     | mov                 dword ptr [esp + 8], 0
            //   c744240400000000     | mov                 dword ptr [esp + 4], 0

        $sequence_2 = { 8b6c243c 3d???????? 741d 896c243c }
            // n = 4, score = 400
            //   8b6c243c             | mov                 ebp, dword ptr [esp + 0x3c]
            //   3d????????           |                     
            //   741d                 | je                  0x1f
            //   896c243c             | mov                 dword ptr [esp + 0x3c], ebp

        $sequence_3 = { a1???????? 8b5c2430 8b742434 8b7c2438 8b6c243c 3d???????? }
            // n = 6, score = 400
            //   a1????????           |                     
            //   8b5c2430             | mov                 ebx, dword ptr [esp + 0x30]
            //   8b742434             | mov                 esi, dword ptr [esp + 0x34]
            //   8b7c2438             | mov                 edi, dword ptr [esp + 0x38]
            //   8b6c243c             | mov                 ebp, dword ptr [esp + 0x3c]
            //   3d????????           |                     

        $sequence_4 = { 8b7c2438 8b6c243c 85db 7435 }
            // n = 4, score = 400
            //   8b7c2438             | mov                 edi, dword ptr [esp + 0x38]
            //   8b6c243c             | mov                 ebp, dword ptr [esp + 0x3c]
            //   85db                 | test                ebx, ebx
            //   7435                 | je                  0x37

        $sequence_5 = { 7431 896c240c 897c2408 895c2404 893424 }
            // n = 5, score = 400
            //   7431                 | je                  0x33
            //   896c240c             | mov                 dword ptr [esp + 0xc], ebp
            //   897c2408             | mov                 dword ptr [esp + 8], edi
            //   895c2404             | mov                 dword ptr [esp + 4], ebx
            //   893424               | mov                 dword ptr [esp], esi

        $sequence_6 = { 8b6c243c 85db 7435 85f6 }
            // n = 4, score = 400
            //   8b6c243c             | mov                 ebp, dword ptr [esp + 0x3c]
            //   85db                 | test                ebx, ebx
            //   7435                 | je                  0x37
            //   85f6                 | test                esi, esi

        $sequence_7 = { 8b7c2438 8b6c243c 3d???????? 741d 896c243c }
            // n = 5, score = 400
            //   8b7c2438             | mov                 edi, dword ptr [esp + 0x38]
            //   8b6c243c             | mov                 ebp, dword ptr [esp + 0x3c]
            //   3d????????           |                     
            //   741d                 | je                  0x1f
            //   896c243c             | mov                 dword ptr [esp + 0x3c], ebp

        $sequence_8 = { 893424 e8???????? 85c0 7831 }
            // n = 4, score = 400
            //   893424               | mov                 dword ptr [esp], esi
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7831                 | js                  0x33

        $sequence_9 = { 7431 896c240c 897c2408 895c2404 }
            // n = 4, score = 400
            //   7431                 | je                  0x33
            //   896c240c             | mov                 dword ptr [esp + 0xc], ebp
            //   897c2408             | mov                 dword ptr [esp + 8], edi
            //   895c2404             | mov                 dword ptr [esp + 4], ebx

    condition:
        7 of them and filesize < 2657280
}

Download all Yara Rules

AresLoader Propose Change

References

Yara Rules

AresLoader