Exploring the D3F@ck Malware-as-a-Service Loader

Aug. 19, 2024, 1:24 p.m.

Description

This report analyzes the D3F@ck Loader, a malware-as-a-service (MaaS) offering orchestrated by an individual going by the alias Sergei Panteleevich. The loader utilizes various evasion techniques, including the use of Extended Validation certificates, Inno Setup installers with custom Pascal scripts, and code obfuscation methods like custom Base64 alphabets and Caesar ciphers. It delivers additional malware payloads like Raccoon Stealer, MetaStealer, SectopRAT, and DanaBot. The developer operates a separate traffic team specializing in distributing stealers and markets both EV certificates and the D3F@ck Loader itself.

External References

https://www.esentire.com/blog/exploring-the-d3f-ck-malware-as-a-service-loader
https://otx.alienvault.com/pulse/66c345fdd97c3a26a18d9441
Tags
malware
loader
obfuscation
stealer
danabot
metastealer
sectoprat
2024-08-19
raccoon stealer
certificates
d3f@ck loader

Date

  • Created: Aug. 19, 2024, 1:17 p.m.
  • Published: Aug. 19, 2024, 1:17 p.m.
  • Modified: Aug. 19, 2024, 1:24 p.m.

Indicators

  • ebfec71ad43d309e27812bc1f9f36e30264ae3b2420f187bb42191a925166fad
  • www.havysoft.cl
  • http://www.havysoft.cl/
  • jilinebyli.top
Download all indicators here!

Attack Patterns

  • D3F@ck Loader
  • Raccoon Stealer
  • DanaBot
  • SectopRAT
  • MetaStealer
  • Sergei Panteleevich
  • T1102.001
  • T1189
  • T1562.001
  • T1057
  • T1204
  • T1553

Linked vulnerabilities

CVE-2024-7593

9.8
    Ivanti vTM
Published: August 13, 2024