Aresloader

AresLoader is a malicious software (malware) that infiltrates systems to exploit and damage them, often used alongside other malware such as Emotet, IcedID, CobaltStrike, SVCReady, CargoBay, Pushdo, Minodo, DiceLoader, LummaC2, Vidar, Gozi, Canyon, Nokoyawa Ransomware, and BlackBasta Ransomware. In 2023, its use expanded to several additional malware families including Nokoyawa and BlackBasta ransomware, malware obtained or purchased from FIN7 developers like Minodo and Diceloader, a new malware family named Canyon, and the information stealers Vidar and LummaC2. Researchers have also shared information on ManticoraLoader, a new Malware-as-a-Service (MaaS) from the AresLoader group, indicating a growing threat landscape. The crypters of AresLoader, which are applications designed to encrypt and obfuscate malware to evade detection by antivirus scanners and hinder analysis, have been observed in new malware strains over the past year. These include those used for initial access or information stealing like SVCReady, CargoBay, Matanbuchus, Pikabot, Vidar, Minodo, and LummaC2 Stealer. IBM Security X-Force reported that these crypters are being used to disseminate new malware strains such as AresLoader itself, Canyon, CargoBay, DICELOADER, Lumma C2, Matanbuchus, Minodo, Pikabot, SVCReady, and Vidar. The AresLoader operation is sophisticated, with its panel managed and hosted by the malware seller and all AresLoader builds communicating with a single server. The IP address used by AresLoader’s server belongs to the autonomous system number (ASN) AS204603 and is registered as Partner LLC, which also hosts the “Shark” stealer panel, indicating that the ASN supports other malicious infrastructure besides AresLoader. AresLoader creates a Registry AutoRun key to obtain and retain unauthorized access to the victim’s environment, and the sellers have set up a Telegram channel to facilitate discussions related to the bot.