Threat Database Malware Pronsis Loader

Pronsis Loader

Cybersecurity researchers have identified a new malware loader named the Pronsis Loader. This loader has been observed in recent campaigns delivering threats like the Lumma Stealer and Latrodectus. The earliest versions of the Pronsis Loader date back to November 2023.

This newly discovered malware shows similarities to the D3F@ck Loader, particularly in its use of JPHP-compiled executables, making the two loaders largely interchangeable. However, they differ in their installer methods: while the D3F@ck Loader relies on the Inno Setup Installer, the Pronsis Loader utilizes the Nullsoft Scriptable Install System (NSIS).

The Pronsis Loader is Part of a New Cybercampaign against Ukrainian Targets

A suspected Russian hybrid espionage and influence operation has been observed delivering a mix of Windows and Android malware to target the Ukrainian military under the Telegram persona Civil Defense.

Researchers are tracking the activity under the name UNC5812. The threat group, which operates a Telegram channel named 'civildefense_com_ua,' was created on September 10, 2024. The channel had 184 subscribers at the time of analysis. It also maintains a website at 'civildefense.com.ua' that was registered on April 24, 2024.

'Civil Defense' claims to be a provider of free software programs designed to enable potential conscripts to view and share crowdsourced locations of Ukrainian military recruiters. Should these programs be installed on Android devices that have Google Play Protect disabled, they are engineered to deploy an operating system-specific commodity malware along with a decoy mapping application dubbed SUNSPINNER.

Attackers Infect Both Windows and Android Devices

For Windows users, the ZIP archive initiates the deployment of a recently identified PHP-based malware loader called Pronsis, which facilitates the distribution of SUNSPINNER and an off-the-shelf stealer known as PureStealer. PureStealer is available for purchase at prices ranging from $150 for a monthly subscription to $699 for a lifetime license.

SUNSPINNER, meanwhile, displays a map for users showing alleged locations of Ukrainian military recruits, which is controlled via a Command-and-Control (C2) server operated by the threat actor.

For those accessing the site on Android devices, the attack chain deploys a malicious APK file (package name: 'com.http.masters'), embedding a remote access trojan known as CraxsRAT. The website also provides instructions to victims on how to disable Google Play Protect and grant the malicious app full permissions, enabling it to operate without restriction.

CraxsRAT is a well-known Android malware family, equipped with extensive remote control capabilities and advanced spyware functions, including keylogging, gesture manipulation, and the ability to record cameras, screens and calls.

Trending

Most Viewed

Loading...