Ragnar Loader Toolkit Evolves Amid Increased Traction Among Threat Operations

More sophisticated capabilities have been integrated into the Ragnar Loader malware toolkit — which has been leveraged not only by the Ragnar Locker group, but also by the FIN7, FIN8, and Ruthless Mantis threat operations to facilitate persistence in targeted systems, The Hacker News reports.

Aside from using PowerShell-based payloads, Ragnar Loader, also known as Sardonic, has also been improved to include advanced encryption, encoding, and process injection techniques to obfuscate malicious activities while ensuring persistence in compromised environments, according to an analysis from PRODAFT.

Also included in Ragnar Loader is the "bc" Linux executable ELF file enabling direct command-line instruction deployment and execution in the targeted system, said PRODAFT researchers, who noted the resemblance between bc and the BackConnect modules utilized by the QakBot and IcedID payloads. Newly-added functionality to Ragnar Loader indicates "the increasing complexity and adaptability of modern ransomware ecosystems," researchers added.