Menace hunters have shed gentle on a “subtle and evolving malware toolkit” known as Ragnar Loader that is utilized by varied cybercrime and ransomware teams like Ragnar Locker (aka Monstrous Mantis), FIN7, FIN8, and Ruthless Mantis (ex-REvil).
“Ragnar Loader performs a key position in preserving entry to compromised methods, serving to attackers keep in networks for long-term operations,” Swiss cybersecurity firm PRODAFT mentioned in a press release shared with The Hacker Information.
“Whereas it is linked to the Ragnar Locker group, it is unclear in the event that they personal it or simply lease it out to others. What we do know is that its builders are always including new options, making it extra modular and more durable to detect.”
Ragnar Loader, additionally known as Sardonic, was first documented by Bitdefender in August 2021 in reference to an unsuccessful assault carried out by FIN8 aimed toward an unnamed monetary establishment positioned within the U.S. It is mentioned to have been put to make use of since 2020.
Then in July 2023, Broadcom-owned Symantec revealed FIN8’s use of an up to date model of the backdoor to ship the now-defunct BlackCat ransomware.
The core performance of Ragnar Loader is its capability to ascertain long-term footholds inside focused environments, whereas using an arsenal of methods to sidestep detection and guarantee operational resilience.
“The malware makes use of PowerShell-based payloads for execution, incorporates sturdy encryption and encoding strategies (together with RC4 and Base64) to hide its operations, and employs subtle course of injection methods to ascertain and preserve stealthy management over compromised methods,” PRODAFT famous.
“These options collectively improve its capability to evade detection and persist inside focused environments.”
The malware is obtainable to associates within the type of an archive file bundle containing a number of elements to facilitate reverse shell, native privilege escalation, and distant desktop entry. It is also designed to ascertain communications with the menace actor, permitting them to remotely management the contaminated system by way of a command-and-control (C2) panel.
Usually executed on sufferer methods utilizing PowerShell, Ragnar Loader integrates a bevy of anti-analysis methods to withstand detection and obscure management circulation logic.
Moreover, it options the power to conduct varied backdoor operations by operating DLL plugins and shellcode, in addition to studying and exfiltrating the contents of arbitrary information. To allow lateral motion inside a community, it makes use of one other PowerShell-based pivoting file.
One other essential part is a Linux executable ELF file named “bc” that is designed to facilitate distant connections, allowing the adversary to launch and execute command-line directions immediately on the compromised system.
PRODAFT advised the publication that “bc” is just like the BackConnect modules current in different recognized malware households like QakBot and IcedID that allow distant interplay with the sufferer’s machine. “It is a frequent method amongst cybercriminals, particularly for concentrating on enterprise victims, as their units are sometimes network-isolated,” it mentioned.
“It employs superior obfuscation, encryption, and anti-analysis methods, together with PowerShell-based payloads, RC4 and Base64 decryption routines, dynamic course of injection, token manipulation, and lateral motion capabilities,” the corporate added. “These options exemplify the growing complexity and flexibility of contemporary ransomware ecosystems.”
