Threat Database Trojan Downloader ModernLoader Malware

ModernLoader Malware

The ModernLoader Malware possesses loader and RAT (Remote Acess Trojan) capabilities. The threat is relatively lightweight and, as such, is not equipped with an extensive set of threatening capabilities. After all, its main purpose is to infiltrate targeted devices and help deploy a more specialized next-stage payload to them. Infosec researchers also track ModernLoader under the names Avatar Bot and AvatarLoader.

When fully established on the breached system, ModernLoader will first collect device-related data, including the OS version, CPU, RAM, currently available disk space, the active account type, IP address, scan for the presence of security tools and more. Afterward, the threat will proceed to its main task of fetching and deploying additional corrupted modules. 

The researchers at Cisco Talos Intelligence Group, who analyzed ModernLoader, discovered 10 such modules to be hosted on threat actors' Command-and-Control (C2, C&C) server. However, the researchers note that not all 10 of the modules were available for download. When ModernLoader is activated, it will run in a perpetual loop and will contact its C2 server only periodically to check for new instructions or tasks. So far, the threat has been used in attack campaigns delivering a diverse group of malware, including versions of the XMRig crypto-mining tool, the RedLine Stealer threat, the SystemBC malware, and the DarkCrystal RAT.


Most Viewed