Cybersecurity researchers have discovered a new stealthy malware loader named BabbleLoader, which has been observed in the wild delivering information stealer families like WhiteSnake and Meduza.
According to Intezer security researcher Ryan Robinson, BabbleLoader is an “extremely evasive loader, packed with defensive mechanisms, designed to bypass antivirus and sandbox environments to deliver stealers into memory.”
Evidence indicates that the loader is being utilized in several campaigns targeting both English and Russian-speaking individuals. It primarily targets users searching for generic cracked software as well as business professionals in finance and administration by disguising itself as accounting software.
Cybersecurity Threats
Loaders have become a prevalent method for delivering malware, such as stealers or ransomware. They often act as the first stage in an attack chain, incorporating a range of anti-analysis and anti-sandboxing features to evade traditional antivirus defenses.
This trend is evidenced by the emergence of new loader families in recent years, including Dolphin Loader, Emmenthal, FakeBat, and Hijack Loader. These loaders have been used to propagate various payloads like CryptBot, Lumma Stealer, SectopRAT, SmokeLoader, and Ursnif.
What sets BabbleLoader apart is its array of evasion techniques that can deceive both traditional and AI-based detection systems. This includes the use of junk code and metamorphic transformations that modify the loader’s structure and flow to bypass signature-based and behavioral detections.
BabbleLoader also evades static analysis by resolving necessary functions only at runtime and takes steps to impede analysis in sandboxed environments. Additionally, the excessive addition of meaningless, noisy code causes disassembly or decompilation tools like IDA, Ghidra, and Binary Ninja to crash, forcing a manual analysis.
“Each build of the loader will have unique strings, unique metadata, unique code, unique hashes, unique encryption, and a unique control flow,” Robinson noted. “Each sample is structurally unique with only a few snippets of shared code. Even the metadata of the file is randomized for each sample.”
“This constant variation in code structure forces AI models to continuously re-learn what to look for—a process that often leads to missed detections or false positives.”
At its core, BabbleLoader is responsible for loading shellcode that then paves the way for decrypted code, a Donut loader, which, in turn, unpacks and executes the stealer malware.
“The better the loaders can protect the ultimate payloads, the fewer resources threat actors will need to expend to rotate burned infrastructure,” Robinson concluded. “BabbleLoader takes measures to protect against as many forms of detection as it can to compete in a crowded loader/crypter market.”
Recent Cybersecurity Developments
The discovery of BabbleLoader comes as Rapid7 detailed a new malware campaign distributing a new version of LodaRAT. This version is equipped to steal cookies and passwords from Microsoft Edge and Brave browsers, in addition to gathering sensitive data, delivering more malware, and granting remote control of compromised hosts. Active since September 2016, this campaign has recently seen LodaRAT distributed by Donut loader and Cobalt Strike.
The cybersecurity company noted that it observed LodaRAT on systems infected with other malware families like AsyncRAT, Remcos, XWorm, and more. However, the exact relationship between these infections remains unclear.
Additionally, researchers have discovered Mr.Skeleton RAT, a new malware based on njRAT. Advertised on the cybercrime underground, it comes with functionality for remote access and desktop operations, file/folder and registry manipulation, remote shell execution, keylogging, and remote control of device cameras.
By staying informed about these evolving threats and implementing robust security measures, organizations can better protect their systems against such sophisticated cyber attacks.
