Kardon Loader is a malware downloader advertised on underground forums as a paid open beta product. This malware has been on sale by an actor under the username Yattaze, starting in late April. The actor offers the sale of the malware as a standalone build with charges for each additional rebuild, or the ability to set up a botshop in which case any customer can establish their own operation and further sell access to a new customer base.
Kardon Loader appears to be distributed through the popular ‘Pink Panther’s’ botshop, although the total number of infections is low.
Currently, most Kardon Loader instances act as a simple loader, however newer variants include greater functionality including adding or removing applications, file transferal and botnet features. There are also indications that Tor and domain generation algorithm support will be implemented for command and control communications.
Kardon Loader uses HTTP based C2 infrastructure with URL parameters that are base64 encoded.
Command and Control URLs
Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.