Cybersecurity researchers have shed light on a new stealthy malware loader called BabbleLoader that has been observed in the wild delivering information stealer families such as WhiteSnake and Meduza.
BabbleLoader is an “extremely evasive loader, packed with defensive mechanisms, that is designed to bypass antivirus and sandbox environments to deliver stealers into memory,” Intezer security researcher Ryan Robinson said in a report published Sunday.
Evidence shows that the loader is being used in several campaigns targeting both English and Russian-speaking individuals, primarily singling out users looking for generic cracked software as well as business professionals in finance and administration by passing it off as accounting software.
Loaders have become an increasingly prevalent method to deliver malware, like stealers or ransomware, often acting as the first stage in an attack chain in a manner that sidesteps traditional antivirus defenses by incorporating a bevy of anti-analysis and anti-sandboxing features.
This is evidenced in the steady stream of new loader families that have emerged in recent years. This includes but is not limited to Dolphin Loader, Emmenhtal, FakeBat, and Hijack Loader, among others, which have been used to propagate various payloads like CryptBot, Lumma Stealer, SectopRAT, SmokeLoader, and Ursnif.
What makes BabbleLoader stand out is that it packs various evasion techniques that can fool both traditional and AI-based detection systems. This encompasses the use of junk code and metamorphic transformations that modify the loader’s structure and flow to bypass signature-based and behavioral detections.
It also gets around static analysis by resolving necessary functions only at runtime, alongside taking steps to impede analysis in sandboxed environments. Furthermore, the excessive addition of meaningless, noisy code causes disassembly or decompilation tools like IDA, Ghidra, and Binary Ninja to crash, forcing a manual analysis.
“Each build of the loader will have unique strings, unique metadata, unique code, unique hashes, unique encryption, and a unique control flow,” Robinson said. “Each sample is structurally unique with only a few snippets of shared code. Even the metadata of the file is randomized for each sample.”
“This constant variation in code structure forces AI models to continuously re-learn what to look for — a process that often leads to missed detections or false positives.”
The loader, at its core, is responsible for loading shellcode that then paves the way for decrypted code, a Donut loader, which, in turn, unpacks and executes the stealer malware.
“The better that the loaders can protect the ultimate payloads, the less resources threat actors will need to expend in order to rotate burned infrastructure,” Robinson concluded. “BabbleLoader takes measures to protect against as many forms of detection that it can, in order to compete in a crowded loader/crypter market.”
The development comes as Rapid7 detailed a new malware campaign that distributes a new version of LodaRAT that’s equipped to steal cookies and passwords from Microsoft Edge and Brave, in addition to gathering all kinds of sensitive data, delivering more malware, and granting remote control of compromised hosts. It’s been active since September 2016.
The cybersecurity company said it “spotted new versions being distributed by Donut loader and Cobalt Strike,” and that it “observed LodaRAT on systems infected with other malware families like AsyncRAT, Remcos, XWorm, and more.” That said, the exact relationship between these infections remains unclear.
It also follows the discovery of Mr.Skeleton RAT, a new malware based on njRAT, that has been advertised on the cybercrime underground and comes with functionality for “remote access and desktop operations, file/folder and registry manipulation, remote shell execution, keylogging, as well as remote control of the devices’ camera.”
