AresLoader
Intelligence Profile
AresLoader is a new malware "downloader" that has been advertised on some Russian language Dark Web forums “RAMP and "XSS" by a threat actor called "DarkBLUP". Researchers assess this loader is likely a legitimate penetration testing tool that is now being abused by threat actors. This is because of a similar project, dubbed “Project Ares,” was previously uploaded to GitHub as a proof-of-concept (PoC) by the well-regarded user and red teamer “CerberSec.”
The loader mimics legitimate software to trick victims into executing malware with administrator rights on their machines. Additional features of the loader include:
1. Written in C/C++
2. Supports 64-bit payloads
3. Makes it look like malware spawned by another process
4. Prevents non-Microsoft signed binaries from being injected into malware
5. Hides suspicious imported Windows APIs
6. Leverages anti-analysis techniques to avoid reverse engineering
Furthermore, It was observed that SystemBC, Amadey, and several Raccoon Stealers were directly installing AresLoader. To date, the AresLoader downloader has been seen delivering payloads like SystemBC, Lumma Stealer, StealC, Aurora Stealer, and Laplas Clipper.
Threat Analysis
AresLoader is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.