Blueliv Labs team detected a new data stealer malware named ZeroEvil developed by the same developer who created the remote access Trojan (RAT) ARS Loader and used in a malware campaign by the AirNaine actor (known as TA545 by Proofpoint).
The ARS Loader data stealer has been part of malware campaigns since December 2017, detected while being disseminated through spam and malvertising campaigns and behaving as a remote access trojan (RAT).
ARS Loader is written in Visual Basic Script, and it is capable of collecting and exfiltrating data from the compromised machines, downloading and executing malicious tools, self-updating and uninstalling, as well as using the victim's computing as part of Denial of Service (DoS) attacks.
The ARS Loader RAT evolved since 2017, with its developer continuously expanding its capabilities, adding PowerShell download and execution, screenshot exfiltration, monitoring, persistence on the infected system, and Edge passwords theft.
The new strain observed by the Blueliv Labs team was first detected in mid-September when malware samples with the same activity patterns as ARS Loader but with enough differences in the malicious code to deserve some extra attention.
On closer inspection, the Blueliv Labs researchers found out that although ARS Loader and the new strain dubbed ZeroEvil shared both code and capabilities hinting at the same developer building both of them, there are things that set them apart.
AirNaine (TA545) uses the ARS Loader and ZeroEvil RATs to compromise Canadian businesses and steal credentials and banking info
Moreover, ZeroEvil communicates with its command-and-control (C&C) server using encrypted channels while ARS Loader was sending and receiving everything in plain text.
Furthermore, ZeroEvil will also send the compromised machine's process list to the C&C server and will scour the hard drives for text, dat, and default_wallet files exfiltrating them to the threat actor.
ZeroEvil has already been detected while being used in active spam and malvertising campaigns against Canadian businesses together with its ARS Loader sibling and the AZORult Trojan which was observed peddling the Aurora ransomware.
According to Blueliv Labs' analysis, the threat actor behind the Canadian campaigns using ZeroEvil as a payload in malware campaigns targetting Canadian businesses in 90% of attacks is AirNaine (aka TA545).
AirNaine uses its ever-evolving arsenal of Trojan to compromise Canadian enterprises via malvertising campaigns, stealing credentials, banking information and any other information it can get its hands on as long as it has value on the black market.