Cybersecurity experts have recently uncovered a “highly sophisticated and evolving malware toolkit” known as Ragnar Loader, which is utilized by various cybercriminal and ransomware groups, including Ragnar Locker (also called Monstrous Mantis, FIN7, FIN8, and Ruthless Mantis (previously known as REvil).
According to Swiss cybersecurity firm PRODAFT, Ragnar Loader plays a critical role in maintaining access to compromised networks, enabling attackers to remain within targeted systems over extended periods.
While associated with the Ragnar Locker group, it remains uncertain whether they are the owners of Ragnar Loader or if they rent it out to other cybercriminals. What is certain is that its developers are continuously enhancing the toolkit, adding new features to make it more modular and difficult to detect,” PRODAFT shared in a statement with The Hacker News.
The malware, also known as Sardonic, was first identified by Bitdefender in August 2021 during a failed attack by FIN8 targeting an unnamed U.S. financial institution. It is believed to have been in operation since 2020.
In July 2023, Broadcom’s Symantec team reported that FIN8 was using an updated version of the backdoor to deploy the now-discontinued BlackCat ransomware.
The core strength of Ragnar Loader lies in its ability to establish a persistent presence in compromised systems, employing a variety of techniques to evade detection and ensure the malware remains effective over time.
PRODAFT explained, “The malware uses PowerShell-based payloads for execution, integrates robust encryption and encoding methods such as RC4 and Base64 to hide its actions, and utilizes advanced process injection strategies to gain and maintain stealthy control of infected systems.”
“These techniques collectively help Ragnar Loader evade detection and sustain its presence within targeted networks,” PRODAFT added.
The malware is distributed to affiliates as a package containing several components designed to facilitate reverse shell operations, local privilege escalation, and remote desktop access. It also allows communication with the attacker, enabling remote control of the infected machine via a command-and-control (C2) panel.
Typically launched on victim systems using PowerShell, Ragnar Loader integrates a variety of anti-analysis methods to avoid detection and obscure its control flow.
Additionally, it features the capability to perform multiple backdoor operations, such as running DLL plugins and shellcode, as well as reading and exfiltrating arbitrary files. To assist in lateral movement within a network, it deploys another PowerShell-based pivoting file.
One crucial component of Ragnar Loader is a Linux executable ELF file, known as “bc.” This file is designed to support remote connections, allowing the attacker to issue command-line instructions directly on the compromised system.
PRODAFT revealed that “bc” is similar to the BackConnect modules found in other malware families, such as QakBot and IcedID, which enable remote access to the victim’s device. This technique is commonly used by cybercriminals, particularly when targeting enterprise networks, as many of their devices are isolated from the rest of the network.
Ragnar Loader utilizes sophisticated techniques for obfuscation, encryption, and evading detection, incorporating PowerShell-based payloads, RC4 and Base64 decryption methods, dynamic process injection, token manipulation, and capabilities for lateral movement,” highlighted PRODAFT. “These features highlight the growing complexity and adaptability of modern ransomware ecosystems.”
