Pronsis Loader: A JPHP-Driven Malware Diverging from D3F@ck Loader

Dec. 5, 2024, 10:25 a.m.

Description

A new malware called Pronsis Loader has been discovered, with similarities to D3F@ck Loader. Both use JPHP-compiled executables, but Pronsis uses NSIS for installation instead of Inno Setup. Pronsis Loader typically delivers Lumma Stealer and Latrodectus payloads. It employs defense evasion techniques like excluding user directories from Windows Defender scans. The malware establishes persistence through scheduled tasks. Infrastructure analysis revealed multiple IP addresses and open directories used to host malicious files, particularly Lumma Stealer variants. This discovery highlights the evolving nature of malware threats and the need for continued vigilance in cybersecurity practices.

External References

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pronsis-loader-a-jphp-driven-malware-diverging-from-d3fck-loader/
https://otx.alienvault.com/pulse/6750e1e4f28b223aea0a3602
Tags
lumma stealer
latrodectus
d3f@ck loader
pronsis loader
2024-12-04
jphp

Date

  • Created: Dec. 4, 2024, 11:12 p.m.
  • Published: Dec. 4, 2024, 11:12 p.m.
  • Modified: Dec. 5, 2024, 10:25 a.m.

Attack Patterns

  • IceRat
  • Pronsis Loader
  • D3F@ck Loader
  • Latrodectus
  • Lumma Stealer
  • T1053.005
  • T1059.003
  • T1059.001
  • T1547.001
  • T1070.004
  • T1204.002
  • T1057
  • T1055
  • T1036
  • T1140
  • T1027