Citrix AresLoader Malware

Citrix Users at Risk: AresLoader Spreading Through Disguised GitLab Repo

Multiple Malware Families Leveraging AresLoader for Propagation

Malware loaders are programs or scripts that have been created to install and run different types of malware on a victim’s computer system. The main objective of a malware loader is to avoid detection and continue operating on the victim’s computer by downloading and executing additional malicious software. To achieve this, loaders may use tactics such as encrypting or obfuscating the malicious payload to make it more difficult for antivirus software to detect it.

Recently, Cyble Research and Intelligence Labs (CRIL) has observed a new loader called AresLoader that has been used to spread several types of malware families. AresLoader is a loader malware written in the C programming language that first emerged in cybercrime forums and Telegram channels in 2022. This loader is available on a Malware-as-a-Service (MaaS) model and is developed by the same Threat Actors (TA) who were responsible for the AiD Locker ransomware. The members of this group are also suspected of having connections to a Russian hacktivist group. The cost of AresLoader is USD 300 per month, including five builds.

The figure below displays the AresLoader post on a cybercrime forum.

Figure 1 – Post on Cybercrime Forum

AresLoader operates through a series of stages, with the initial loader binary containing embedded code that is injected in subsequent stages. After analyzing several binaries of AresLoader, CRIL discovered that the loader code’s extraction and injection methods are inconsistent across every binary.

This highlights the TA’s efforts to avoid detection by frequently updating their infection techniques.

The loader has been observed to be used by multiple malware strains, as depicted in the figure below.

Figure 2 – Spreading Different Malware

According to the TA, the malware initiates the launch of a legitimate file before deploying a malicious payload. The TAs responsible for this loader offer access to a builder that can be utilized to create a loader executable. Additionally, several web panels have been identified in association with this loader.

The figure below displays the AresLoader web panel.

Figure 3 – AresLoader Web Panel

Upon further investigation, CRIL discovered a GitLab repository located at hxxps[:]// distributing the AresLoader malware. This repository was masquerading as “citrixproject,” suggesting that the threat actor was specifically targeting Citrix users. Within this directory, the file labeled “AG.exe” was identified as AresLoader, which proceeded to download the LummaStealer and IcedID payloads.

The figure provided below illustrates the GitLab repository.

Figure 4 – Disguised Citrix GitLab Repo

Technical Analysis

The AresLoader executable (SHA:256 867c574602105903116dca0a8b826e474a555980a193524d1aa7f15aecbc9ae4) is a 32-bit binary compiled in C.  

The figure below shows the file details.

Figure 5 – File Details

Upon execution, the malware calls the CreateWindowEx() API with the class name “GLSample” and the window name “OpenGL Sample”. The window procedure function registered with this API does not contain any obvious malicious code in the callback function, leading us to suspect that this code may be intended to delay the analysis of the malware.

The figure below shows the code snippet of the CreateWindowEx() API.

Figure 6 – Creating Hidden Window

The next step for the malware is to try loading “sc.exe” using the CoLoadLibrary() function. In case this attempt fails, the functions within the if statement will be executed. These functions are meant to imitate the extraction of the following stage payload from the binary and then inject it into memory.

Nevertheless, these are fake functions and are just programmed to terminate the malware program.

The figure below shows the fake functions present in the malware.

Figure 7 – Fake Functions

The malware now begins to enumerate the Process Environment Block (PEB) to gather information about the loaded modules. It does this by traversing the InMemoryOrderModuleList and accessing the third node in the list using Flink.

This allows the malware to retrieve the address of the _LIST_ENTRY structure for the “ntdll.dll” module for resolving APIs.

The figure below shows the GetNtDLL() function.

Figure 8 – Enumerating PEB

Subsequently, the malware resolves APIs dynamically. This malware employs the API hashing technique to complicate detection and analysis. The targeted APIs belong to ntdll.dll and serve as a means for malware to perform malicious actions. The loader retrieves the address of the following API functions:

  • pLdrFindResource_U
  • pLdrAccessResource
  • pNtAllocateVirtualMemory
  • pNtQueueApcThread
  • pNtTestAlert

The figure below shows the GetNtDLL() and get_proc_address() functions.

Figure 9 – Resolving APIs

Next, the malware makes a call to the pLdrFindResource_U() function, which is used to locate a resource within the malware file. This function, on successful execution, returns a pointer to the resource data. This pointer is now passed to the pLdrAccessResource() function to retrieve the actual data of a resource located by the pLdrFindResource_U() function.

The figure below shows the calls made by the loader to fetch the resource data.

Figure 10 – Accessing Resource Data

Next, the malware uses the ZwAllocateVirtualMemory( ) function to reserve a memory area in the current process with read, write, and execute permissions.

The process for allocating memory space is demonstrated in the figure below.

Figure 11 – Allocating Memory Space

The next step in the process is to decrypt the resource data that was obtained earlier. This is achieved by using the key, which is obtained from the .rdata section. Once the memory is allocated, the decryption loop begins, and the decrypted PE file is stored in the newly allocated memory.

The figure below shows the decryption loop and the decrypted PE file.

Figure 12 – Decrypts PE file

Subsequently, the malware makes a call to ZwQueueApcThread() and NtTestAlert() to inject code into its own process memory. The malware uses the ZwQueueApcThread() function to schedule an Asynchronous Procedure Calls (APCs) routine that executes the injected code. NtTestAlert() function is associated with the alerts mechanism and can trigger the execution of any outstanding APCs.

Figure 13 – Executing Injected Code

AresLoader v3:

AresLoader can download and execute files. Initially, it creates a folder in the AppData\\Roaming directory where the downloaded payloads are saved. The saved file is then executed using the CreateProcessA() function.

The method used for executing the downloaded files can be seen in the figure below.

Figure 14 – Executing Malware Payloads

Prior to downloading the final payload, the Ares loader obtains the public IP address of the infected system by sending a request to utilizing the WinINet library.

Furthermore, it obtains additional information from the victim’s system and utilizes it to register the victim with the Command and Control (C&C) server via a POST request, as demonstrated below.

Figure 15 – POST Request

Finally, AresLoader initiates an internet session using the InternetOpenA() function and sets the user agent string to “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.”. It then proceeds to make GET requests for downloading other malicious executables using the InternetOpenUrlA() function. Specifically, the malware makes GET requests to the following URLs:

  • hxxp[:]//193.233.134[.]57/manager/legit  —– Downloads a clean file
  • hxxp[:]//193.233.134[.]57/manager/payload —- Downloads LummaStealer
  • hxxp[:]//193.233.134[.]57/manager/hvnc —– Downloads IcedID


The AresLoader has been detected disseminating various types of malware, implying that several threat actors are utilizing it to propagate their malicious strains. To evade detection, this loader employs several defensive strategies. Our observation of different executables utilizing different approaches to inject the loader code suggests that these TAs continually enhance their infection tactics.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:   

  • Avoid downloading files from unknown websites. 
  • Use a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and mobile. 
  • Refrain from opening untrusted links and email attachments without first verifying their authenticity. 
  • Educate employees on protecting themselves from threats like phishing/untrusted URLs. 
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs. 
  • Enable Data Loss Prevention (DLP) Solutions on the employees’ systems. 

MITRE ATT&CK® Techniques 

Tactic Technique ID Technique Name 
Initial Access T1566 Phishing 
Execution T1204 User Execution 
Defense Evasion T1027
Obfuscated Files or Information
Process Injection
Dynamic API Resolution
DiscoveryT1016System Network Configuration Discovery
Command and ControlT1071 
Application Layer Protocol 
Ingress Tool Transfer

Indicator Of Compromise (IOCs) 

Indicators Indicator  
hxxp[:]// hxxp[:]// hxxp[:]// hxxp[:]// C&C C&C 
hxxps[:]//”URLMalicious GitLab repo

Comments are closed.

Scroll to Top