A new private loader named “AresLoader” has been advertised for sale on a top-tier Russian-language hacking forum, available for $300 per month, with the sellers claiming that only ten licenses are available at a time.
AresLoader is designed to camouflage itself as legitimate software while covertly downloading harmful payloads. It operates through a single command and control (C2) panel that receives logs, and customers can create user accounts for the panel. Flashpoint analysts have evaluated a sample build of AresLoader and confirmed that it performs the advertised functions.
Once dropped on the system, AresLoader scrapes the victim device’s IP address and time zone, generates a UUID for the infected system, and beacons out to the C2 server with a POST request.
This beacon includes the scraped data mentioned above as well as campaign identifiers such as an ‘owner_token.’ After registering the loader on the C2 server, the loader downloads the expected legitimate file specified during the build’s creation.
It executes that file and downloads the additional harmful payloads. AresLoader then creates a Registry AutoRun key to obtain and retain unauthorized access to the victim’s environment.
The IP address of the AresLoader C2 server indicates that it belongs to an autonomous system number (ASN) registered to the bulletproof hosting provider Partner LLC.
Identifying bulletproof hosting provider ASNs can be useful to security researchers and organizations with the ability to block IP ranges, as these ASNs’ announced IP ranges are highly unlikely to host legitimate services, making them valuable in identifying malicious infrastructure or preventing malicious activity proactively.
Partner LLC also hosts the “Shark” stealer panel, indicating that the ASN supports other malicious infrastructure besides AresLoader.
