Pronsis Loader: The Emerging Threat Behind JPHP-Driven Malware

by do son · October 8, 2024

A recent report by Trustwave’s Threat Intelligence team, led by Cris Tomboc and King Orande, has unveiled a newly identified malware named Pronsis Loader. This malware, which first surfaced in November 2023, has drawn comparisons to the D3F@ck Loader, a similar threat that emerged in early 2024. Pronsis Loader is notable for its delivery of malware such as Lumma Stealer and Latrodectus, posing a significant risk to victims. The discovery of its infrastructure linked to Lumma Stealer underscores the scale of this evolving threat.

What sets Pronsis Loader apart from other loaders is its use of JPHP, a Java implementation of PHP. “Both utilize JPHP-compiled executables, making them easily interchangeable,” the researchers explain. However, unlike the D3F@ck Loader, which uses Inno Setup Installer, Pronsis Loader deploys the Nullsoft Scriptable Install System (NSIS). This open-source tool enables customized Windows installers, providing Pronsis Loader a distinct edge in its installation techniques.

The use of NSIS by Pronsis Loader | Image: Trustwave

Interestingly, JPHP is not widely used among malware developers, making Pronsis Loader’s reliance on this language a deviation from the typical malware landscape. This implementation allows for the creation of .phb files, which cannot be easily decompiled using conventional Java tools. Despite this complexity, the presence of CAFEBABE headers in these files allows threat analysts to decompile them after extraction, revealing their true nature.

Pronsis Loader’s installer contains a large payload, much of which consists of benign files designed to conceal the malicious code embedded within. According to the researchers, “most of the installer’s contents consist of benign files designed to disguise malicious files.” These files are dropped into the %Temp% directory, but hidden among them is a key executable—FailWorker-Install.exe, which contains the actual malware.

This executable triggers a series of events, calling upon the Nact.dll file via an NSIS plug-in to run the JPHP-compiled loader. Upon extraction, the main module can be identified within the JPHP-INF directory, where the launcher.conf file specifies the initial .bootstrap file for the app\modules directory. The Pronsis Loader’s structure allows it to download a payload from a specified URL, which then delivers the Latrodectus malware. This malware primarily spreads through phishing emails, mirroring other known threats such as IcedID.

The Pronsis Loader has embedded features to evade detection. One such evasion technique is implemented through a PowerShell script hidden within the MainForm.phb file. This encoded script disables Windows Defender scans for the user’s profile directory, making it easier for the malware to operate undetected. “This PowerShell command will be placed in a batch file with a randomized numeric filename and executed via cmd.exe,” the report highlights.

Pronsis Loader’s ability to deliver multiple payloads has been further evidenced by its deployment of Lumma Stealer and Latrodectus. Latrodectus, first observed in October 2023, has gained attention due to its aggressive infection techniques. Infected machines are loaded with a series of batch files and executables that facilitate the installation and persistence of the malware.

In one instance, Latrodectus was delivered in a file named todaydatabase.zip, which dropped an executable into the %Temp% directory, initiating the infection process. Once installed, Latrodectus uses a scheduled task to ensure persistence, running every 10 minutes to re-execute its malicious components. Additionally, the malware creates a mutex named runnung to manage the ongoing infection.

The introduction of Pronsis Loader marks a significant shift in the use of JPHP as a malware platform. By leveraging NSIS installers and evading typical security protocols, Pronsis Loader presents a formidable challenge to cybersecurity defenders. The report emphasizes that this loader “highlights its similarities with D3F@ck Loader and its role in delivering Lumma Stealer and Latrodectus as primary payloads.”