NetScout Arbor ASERT researchers spotted the Kardon Loader malware on underground forums.
NetScout Arbor ASERT researchers spotted the Kardon Loader malware on underground forums.

A new commercial malware dropper was discovered on sale at the low price of $50 in its beta form but promising the ability to allow customers to open their own botshop allowing the purchaser to rebuild the bot to sell access to others, creating their own clientele.

NetScout Arbor ASERT researchers spotted the malware named Kardon Loader on underground forums as its authors were still looking for testers to infect victims, gain persistence on a user's computer and report back to a command and control (C&C) server, according to a recent blog post.

The malware was also promoted for its use of anti-analysis techniques to discourage white hats from examining its inner workings.

Kardon appears to be a rebrand of the ZeroCool botnet, which was previously developed by the same actor. The malware's creators aren't widely distributing the malware with only 124 infections spotted, but researchers found the threat actors initially conducted tests by leveraging the Pink Panther's automated loads shop.

Despite an extensive list of features advertised with the malware, some of them appear to have been exaggerated as its authors claim the bot has Tor integration and user mode rootkit functionality, however, researchers found no evidence of these capabilities in the binaries they analyzed.

Researchers first spotted the malware on April 21, 2018, after a threat actor using the name Yattaze began advertising the malware on a forum. The botnets creators have communicated that future development will be done on the malware and in the meantime, researchers recommend organizations leverage indicators to block malicious activity associated with the malware loader.

Sean Newman, Director of Product Development at Corero Network Security said news of the botnet doesn't represent any advances in the way the cybercriminal community functions.

“We are way past the time when hackers operated solely in isolation and had to craft every component of their attacks themselves,” Newman said in a June 25 blog post. “Pretty much every element of cyber-crime is now part of a broader ecosystem, with hackers specializing in certain areas and then selling those skills or capabilities on the dark web to others who can then use that for a broader cyber-crime campaign.”

He went on to say that malware like this emphasizes the need for organizations to have dedicated protection against these types of threats.