This new malware uses a rare programming language to evade traditional detection methods
- New custom malware loader written in JPHP wreaks havoc
- The modified payload is difficult to detect using cybersecurity tools
- The malware loader can deploy custom payloads if necessary
Trustwave SpiderLabs says yes recently exposed a new form of malware known as Pronsis Loader, which is already causing problems due to its unique design and tactics.
Pronsis Loader uses JPHP, a lesser-known programming language rarely used by cybercriminals, and also uses advanced installation techniques, making it more challenging for cybersecurity systems to detect and mitigate.
JPHP, a variant of the popular PHP language, is rarely seen in the world of malware development. Although PHP is commonly used for web applications, its integration into desktop malware development is uncommon, giving Pronsis Loader an advantage in avoiding detection.
JPHP – a rare choice in cybercrime
Pronsis Loader can bypass signature-based detection systems, which are typically designed to recognize more common programming languages in malware. JPHP gives the malware a ‘stealth layer’ that allows the malware to remain under the radar of many security tools.
The malware also uses obfuscation and encryption methods to conceal its presence during the initial infection phase. Execution employs complex methods to prevent traditional antivirus software and endpoint security systems from activating. The loader first silently installs itself into the system and disguises its activities by mimicking legitimate processes or applications, making it difficult to spot for both automated security tools and human analysts.
Once installed, Pronsis Loader can download and execute additional malware, including ransomware, spyware, or data exfiltration tools. This modular approach makes the malware highly flexible, allowing attackers to customize the final payload based on the target’s system or environment. Pronsis Loader is part of a growing trend in malware development, with attackers using loaders as the first step in multi-stage attacks. Designed to introduce other malware into a system, these loaders provide attackers with flexibility.
To combat these evolving threats, security teams must adopt more advanced monitoring and analysis methods, such as behavior-based detection, which can identify malware by its actions rather than just by code signatures. Additionally, continuous threat intelligence updates can help identify the use of rare languages and methods such as those of Pronsis Loader.
“Pronsis Loader marks a notable shift in the way cybercriminals deploy malware, using JPHP and silent installations to evade traditional detection methods. Its ability to deliver high-risk payloads such as Lumma Stealer and Latrodectus makes it particularly dangerous,” said Shawn Kanady, Global Director of Trustwave SpiderLabs.
“Our research reveals not only the unique capabilities of the malware, but also the infrastructure that can be deployed in future campaigns to give security teams the opportunity to strengthen their defenses,” Kanady added.
