New Malware-as-a-Service Loader Bypasses Windows Defender, Steals Your Data

Sergei Panteleevich, the alias of the D3F@ck Loader developer, operates under the Telegram handles @Mavr_MMM and AO_MMM and the forum handle Null14. Previously known as GhostBusters, he has a negative reputation within the Telegram community. 

Despite using the name of a notorious Russian fraudster, the developer’s Telegram activity reveals a history of inappropriate behavior resulting in restrictions. Analysis of the D3F@ck Loader and associated infrastructure is ongoing, with indicators of compromise to be released. 

Snippet of the conversation from Lumma Public Chat from other users talking about Sergei

Sergei, operating as the GhostBusters Team, is a cybercriminal involved in malware distribution whose team, also known as the MMM Team, recruits individuals to propagate Meta Stealer for data exfiltration. 

It engages in illicit activities such as selling Extended Validation certificates for substantial sums and offering customized company names as part of the deal. 

 Certificate sale announcement 

D3F@ck Loader leverages EV certificates from dubious companies to bypass security mechanisms, presenting a legitimate facade to unsuspecting users, which is easily obtainable through services like FakeBat and eDragon_x, enhancing malware credibility, allowing for smooth execution and bypassing UAC prompts. 

However, their effectiveness is short-lived due to frequent revocation efforts. Identifying certificates used by D3F@ck, including those from LLC Kama Lubricant Company to MAD PANDA Ltd, reveals potential connections to Sergei, a Russian national in his late 30s with a background in construction. 

An UAC prompt appears upon running the file with a valid EV certificate.

It was initially distributed as an Inno Setup installer and leveraged Pascal scripting to orchestrate its malicious activities, which contain essential tools like 7-Zip and an elevation utility, along with core components for Java payload execution. 

Decoding the installer’s compiled script reveals techniques for extracting the password-protected archive, underscoring the malware’s layered approach to infection. 

Installation directory

The loader deploys Setup.exe and Elevate.exe after archive extraction, whose core functionality relies on Java, specifically JPHP code within a JAR file. The “executePowerShellCommand” method in the decompiled JPHP code manipulates Windows Defender by adding exclusions and disabling behavior monitoring. 

It fetches the final payload, base64-encoded on a C2 server, and saves it to the %TEMP% folder with a dynamically generated filename based on a base64-encoded MD5 hash of the current microtime. 

The Telegram channel served as a DDR.

The D3F@ck Malware-as-a-Service loader evolved its obfuscation techniques in April and May 2024, when the loader switched from standard base64 encoding to a custom base64 scheme with a custom alphabet for strings. 

Anti-sandbox features were introduced, checking for processes or virtual machine-related strings to terminate execution, while the loader also integrated a Dead Drop Resolver mechanism using Telegram as a fallback C2 server.  

According to eSentire, it underwent modifications in August 2024, including a path change to “%TEMP%\hsperfdata_admin” for subsequent payloads within the PICADOR method and a new disk space check (ISENOUGHSPACE) requiring at least 120GB on the system drive. 

The loader’s persistence is enhanced through Inno Setup and Pascal scripting, while EV certificates aid in bypassing security measures, which continue to actively distribute payloads through various methods, leveraging a traffic team and selling access to the loader and EV certificates. 

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here