Threat hunters have shed light on a “sophisticated and evolving malware toolkit” called Ragnar Loader that’s used by various cybercrime and ransomware groups like Ragnar Locker (aka Monstrous Mantis), FIN7, FIN8, and Ruthless Mantis (ex-REvil).
“Ragnar Loader plays a key role in keeping access to compromised systems, helping attackers stay in networks for long-term operations,” Swiss cybersecurity company PRODAFT said in a statement shared with The Hacker News.
“While it’s linked to the Ragnar Locker group, it’s unclear if they own it or just rent it out to others. What we do know is that its developers are constantly adding new features, making it more modular and harder to detect.”
Ragnar Loader, also referred to as Sardonic, was first documented by Bitdefender in August 2021 in connection with an unsuccessful attack carried out by FIN8 aimed at an unnamed financial institution located in the U.S. It’s said to have been put to use since 2020.
Then in July 2023, Broadcom-owned Symantec revealed FIN8’s use of an updated version of the backdoor to deliver the now-defunct BlackCat ransomware.
The core functionality of Ragnar Loader is its ability to establish long-term footholds within targeted environments, while employing an arsenal of techniques to sidestep detection and ensure operational resilience.
“The malware utilizes PowerShell-based payloads for execution, incorporates strong encryption and encoding methods (including RC4 and Base64) to conceal its operations, and employs sophisticated process injection strategies to establish and maintain stealthy control over compromised systems,” PRODAFT noted.
“These features collectively enhance its ability to evade detection and persist within targeted environments.”
The malware is offered to affiliates in the form of an archive file package containing multiple components to facilitate reverse shell, local privilege escalation, and remote desktop access. It’s also designed to establish communications with the threat actor, allowing them to remotely control the infected system through a command-and-control (C2) panel.
Typically executed on victim systems using PowerShell, Ragnar Loader integrates a bevy of anti-analysis techniques to resist detection and obscure control flow logic.
Furthermore, it features the ability to conduct various backdoor operations by running DLL plugins and shellcode, as well as reading and exfiltrating the contents of arbitrary files. To enable lateral movement within a network, it makes use of another PowerShell-based pivoting file.
Another critical component is a Linux executable ELF file named bc that’s designed to facilitate remote connections, permitting the adversary to launch an and execute command-line instructions directly on the compromised system.
“It employs advanced obfuscation, encryption, and anti-analysis techniques, including PowerShell-based payloads, RC4 and Base64 decryption routines, dynamic process injection, token manipulation, and lateral movement capabilities,” PRODAFT said. “These features exemplify the increasing complexity and adaptability of modern ransomware ecosystems.”
