Security researchers have spotted a new commercial malware product that's been put up for sale on hacking forums for the lowly price of only $50, paid in Bitcoin.
Named Kardon Loader, this is a new malware strain, currently still under development, in a "beta" stage according to its author.
Based on its advertised features Kardon is a "malware loader," also known as a "malware downloader" or "dropper," which is a type of malware strain that cyber-criminals usually deploy as the first stage of their operations.
A malware loader's main role is to infect victims, gain persistence on a user's computer, and then report back to a command and control (C&C) server.
Each victim of a malware loader is called a "bot," as the malware assembles all infected computers in a giant botnet.
The inevitable future of every bot is that at one point or another, the "loader" will download a second-stage payload, usually a more potent malware, such as a banking trojan, a password-dumper, a backdoor trojan, or ransomware.
Cybercriminals normally use malware loaders in two ways. They either incorporate them in their own custom multi-stage malware infection chains, for their own benefits, or they sell "bot space" to other crooks, who then infect users with the second-stage malware of their choice.
In the past two decades, we've seen malware downloaders such as Andromeda, Nemucod, Quant Loader, or Smoke Loader, being very active on the market.
Crooks have made good money selling these types of tools to other crooks, and especially "bot space." It is this bot-space-selling niche that a relatively new malware author is trying to break into.
According to an Arbor ASERT report published yesterday, a malware author named Yattaze started selling a new malware downloader named Kardon Loader last April.
"Kardon is a lot smaller of an operation than some of the well-known loaders out there like Smoke and Quant," TJ Nelson, Security Research Analyst for Arbor, told Bleeping Computer via email.
"However, where its predecessors started adding mining and credential stealing features, Kardon Loader has limited those 'extras' and added control panel features [so buyers can] start their own botshop," Nelson told us.
The researcher is referring to a somewhat unique Kardon Loader feature promoted in its advertisement.
Usually, malware loaders come with a backend panel that lets buyers interact with their bots and send a second-stage malware. On top of this standard C&C panel, Kardon also includes a fully-fledged botshop, a much rarer feature, which allows buyers of the original Kardon Loader to open an online store where they can sell access to the bots they collect.
But for now, the malware is not a threat, as it still a newcomer on the market, and has fewer buyers. Arbor says it didn't find any active Kardon samples deployed in the wild.
"We have found most of our samples from multiscanning services, one panel (botshop) in the wild (via a Google search), and a few via the forum commentary," Nelson told us.
"Commentary from the actor reveals this bot is not widely distributed at this time," Nelson says. "Only 124 infections are shown in a screenshot of the loader’s test network posted by the actor."
In his ad, Yattaze also brags about Kardan's features:
But from the Arbor team's analysis, Yattaze appears to have lied or exaggerated about a few of those features. For example, researchers didn't find any evidence of Tor integration or user mode rootkit functionality in the binaries they analyzed.
Nonetheless, the Arbor team seems confident these features will be added in the future, as Yattaze is a trusted malware author with a good reputation for delivering on his goods.
"This is very new malware, and the author is active and responsive on their advertisement threads, which means the commitments they have made to add encryption and rootkit functionality have a higher likelihood of coming true in the future," Nelson told Bleeping Computer.
Previously to developing Kardon Loader, Yattaze worked on the ZeroCool botnet, a similar malware loader.
"The author abandoned the [ZeroCool] project and used the code from it to create Kardon Loader," Nelson told us. "It was under development for over a year, and it was basically his first attempt at building a bot, so he decided not to release it and work on this one."
The Arbor ASERT team's report contains IOCs that researchers can use to hunt down this new malware.