AresLoader

AresLoader is a new malware "downloader" that has been advertised on some Russian language Dark Web forums “RAMP and "XSS" by a threat actor called "DarkBLUP". Researchers assess this loader is likely a legitimate penetration testing tool that is now being abused by threat actors. This is because of a similar project, dubbed “Project Ares,” was previously uploaded to GitHub as a proof-of-concept (PoC) by the well-regarded user and red teamer “CerberSec.”

The loader mimics legitimate software to trick victims into executing malware with administrator rights on their machines. Additional features of the loader include:

1. Written in C/C++

2. Supports 64-bit payloads

3. Makes it look like malware spawned by another process

4. Prevents non-Microsoft signed binaries from being injected into malware

5. Hides suspicious imported Windows APIs

6. Leverages anti-analysis techniques to avoid reverse engineering

Furthermore, It was observed that SystemBC, Amadey, and several Raccoon Stealers were directly installing AresLoader. To date, the AresLoader downloader has been seen delivering payloads like SystemBC, Lumma Stealer, StealC, Aurora Stealer, and Laplas Clipper.