- New custom malware loader written in JPHP is wreaking havoc
- The custom payload is difficult to detect using cybersecurity tools
- The malware-loader can deploy custom payloads as required
Trustwave SpiderLabs says it has recently uncovered a new form of malware known as Pronsis Loader, which is already causing trouble due to its unique design and tactics.
Pronsis Loader makes use of JPHP, a lesser-known programming language rarely utilized by cybercriminals, and alsoemploys advanced installation techniques, making it more challenging for cybersecurity systems to detect and mitigate.
JPHP, a variation of the popular PHP language, is rarely seen in the world of malware development. While PHP is commonly used for web applications, its integration into desktop malware development is unusual, giving Pronsis Loader an advantage in avoiding detection.
JPHP – a rare choice in cybercrime
Pronsis Loader can evade signature-based detection systems, which are typically designed to recognize more common programming languages in malware. JPHP gives the malware a layer of “stealth” allowing the malware to fly under the radar of many security tools.
The malware also uses obfuscation and encryption methods to hide its presence during the initial infection phase. Upon execution, it deploys complex methods to avoid triggering traditional antivirus software and endpoint protection systems. The loader first installs itself silently in the system, disguising its activities by mimicking legitimate processes or applications, making it difficult for both automated security tools and human analysts to spot.
Once installed, Pronsis Loader can download and execute additional malware, including ransomware, spyware, or data exfiltration tools. This modular approach makes the malware highly flexible, allowing attackers to tailor the final payload based on the target’s system or environment. Pronsis Loader is part of an increasing trend in malware development where attackers use loaders as a first step in multi-stage attacks. These loaders, designed to introduce other malware into a system, provide attackers with flexibility.
To combat these evolving threats, security teams should adopt more advanced monitoring and analysis methods, such as behavior-based detection, which can identify malware by its actions rather than its code signatures alone. Additionally, continuous updates to threat intelligence can help identify the use of rare languages and methods like those employed by Pronsis Loader.
“Pronsis Loader marks a notable shift in how cybercriminals are deploying malware, employing JPHP and silent installations to evade traditional detection methods. Its ability to deliver high-risk payloads like Lumma Stealer and Latrodectus makes it particularly dangerous,” said Shawn Kanady, Global Director of Trustwave SpiderLabs.
“Our research uncovers not only the malware’s unique capabilities but also the infrastructure that could be leveraged in future campaigns to give security teams a chance to strengthen their defences,” Kanady added.
