Power Loader

Power Loader is a type of malware that serves as a bot builder, primarily used for creating downloaders for other malware families. This represents a trend towards specialization and modularity in malware production. The first version of Power Loader was compiled at the beginning of September 2012, with its export table revealing its unique structure. It uses one main Command and Control (C&C) URL and two reserve URLs to maintain connectivity and control over infected systems. From November 2012 onwards, the malware known as Win32/Redyms began incorporating Power Loader components into its own dropper. This integration suggests that Power Loader's functionality and adaptability made it a valuable tool in the broader landscape of malicious software. The hashes for analyzed samples of Power Loader are as follows: v1 (builder) - a189ee99eff919b7bead989c6ca252b656b61137, v1 (dropper) - 86f4e140d21c97d5acf9c315ef7cc2d8f11c8c94, and v2 (dropper) - 7f7017621c13065ebe687f46ea149cd8c582176d. An intriguing aspect of Power Loader is its use of the open-source disassembler "Hacker Disassembler Engine" (HDE) for code injection. Interestingly, the same engine is also utilized by another malware, Win32/Gapz, in one of its bootkit shellcode modules. While this doesn't conclusively establish that the developers of Power Loader and Gapz are the same, it does highlight a shared methodology between different types of malware, pointing to potential avenues for further investigation and countermeasures.