Threat Report: What is the EvilBunny Malware and How Does it Work?

The malware known as EvilBunny, is designed to be a platform for Lua scripts and is known to affect Windows systems. EvilBunny can create registry keys for persistence and has used WMI to gather information about the system. EvilBunny can download additional Lua scripts from the C2. EvilBunny can also EnumProcesses to identify how many process are running in the environment and has queried installed antivirus software. The malware can also run commands via scheduled tasks and has used time measurements from 3 different APIs to check and abort if the malware is running in a sandbox.

EvilBunny Malware Capabilities:

EvilBunny may use a variety of techniques to gain persistence on a system, including adding programs to startup folders or referencing them in Registry run keys. They may also abuse Windows Management Instrumentation to execute malicious commands and payloads. EvilBunny may transfer tools or other files from an external system into a compromised environment, and may attempt to get information about running processes on a system. It may also abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code.

• EvilBunny malware may add itself to the startup folder or Registry run key to achieve persistence, or abuse Windows Management Instrumentation to execute malicious commands and payloads. It may also transfer tools or other files from an external system into a compromised environment.
• EvilBunny may attempt to get information about running processes on a system in order to gain an understanding of common software/applications running on systems within the network. Additionally, EvilBunny may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code.
• The EvilBunny malware may abuse the Windows command shell for execution, interact with the native OS application programming interface to execute behaviors, and employ various system checks to detect and avoid virtualization and analysis environments. If the adversary detects a virtual machine environment or sandbox, they may alter their malware to disengage from the victim or conceal the core functions of the implant.
• EvilBunny may delete files left behind by their intrusion activity, employ time-based methods to avoid virtualization and analysis environments, and communicate using application layer protocols associated with web traffic to blend in with existing traffic and avoid detection.

Ways to Mitigate EvilBunny Malware Attacks Capabilities

• The EvilBunny malware can be mitigated by monitoring the Registry for changes, the start folder for additions or changes, and network traffic for WMI connections. Process monitoring can also be used to capture command-line arguments of "wmic" and detect commands used to perform remote behavior. Additionally,monitoring for file creation and files transferred into the network can help to detect this type of malware.
• The EvilBunny malware can be mitigated by monitoring process execution and Windows Task Scheduler for changes that don't correlate with known software or patch cycles.
• The EvilBunny malware attack can be mitigated by restricting scripting for normal users, monitoring API calls, and checking for virtualization/sandbox related system activity.
• The EvilBunny malware can be mitigated by monitoring for command-line deletion functions, as well as for known deletion and secure deletion tools. Additionally, time-based evasion may occur throughout an operation, so data and events should be viewed as part of a chain of behavior that could lead to other activities. Finally, network data should be analyzed for uncommon data flows, and packet contents should be examined for application layer protocols that do not follow expected standards.

About Snowglobe Threat Group

Animal Farm is an advanced threat actor that has been active since at least 2009, and has targeted a wide range of global organizations.