New ManticoraLoader Malware Targeting Citrix Users to Steal Data

Researchers discovered that DeadXInject, responsible for AresLoader and AiDLocker, has launched a new malware-as-a-service called ManticoraLoader, which has been offered on underground forums and Telegram since August 8, 2024. 

The organization is notorious for their involvement in the development of ransomware and has a history of targeting users of Citrix computer systems.

The DarkBLUP post describes ManticoraLoader, a C-based malware tool, which outlines its functionalities, such as file manipulation, network communication, and process management. It also explains its operational logic and provides usage guidelines for attackers to deploy and exploit the tool effectively.

TA’s advertisement on the Telegram Channel.

ManticoraLoader is a malware capable of collecting detailed system information from infected Windows devices, including IP address, username, language, antivirus status, unique identifier, and timestamps, which is used to target specific vulnerabilities and compromise additional systems.

Its broad compatibility and reconnaissance capabilities suggest it’s a versatile tool for sophisticated cyber campaigns, which transmits victim data to a central control panel, enabling threat actors to profile victims, tailor attacks, and maintain control over compromised systems.

By offering persistence, modularity, and obfuscation for various malicious objectives, it charges a monthly rental fee of USD 500 and is marketed as difficult to detect.

Sample of panel interface published by the TA

The actors have implemented a restricted client transaction process, limiting interactions to a maximum of 10 clients through the forum’s escrow service or personal messaging platforms, which aims to maintain control and minimize exposure.

The stealthy loader successfully evaded detection by Kleenscan and bypassed 360 Total Security’s sandboxing mechanism, likely due to sophisticated obfuscation techniques, which were demonstrated in a video posted on the threat actors’ Telegram channel.

 Loader analyzed by the TA with CFF Explorer.

CRIL reports that AresLoader continues to be used by threat actors despite the introduction of ManticoraLoader. VirusTotal findings confirm this, indicating ongoing activity and relevance of AresLoader in the threat landscape.

TA DarkBLUP, after a year of inactivity, has announced ManticoraLoader as a new MaaS, potentially for increased revenue, which follows the success of their previous MaaS, AresLoader, and the AiDLocker ransomware. 

Despite the fact that the reason for their extended break is still unknown, it is possible that it was caused by a shift in focus or organizational restructuring within the company.

The ManticoraLoader’s advertised features, despite seeming similar to the older version, might pose a new challenge to detecting stealer and botnet infections, similar to the AresLaoder campaigns, if the TA’s claims of improved features are accurate.

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here