Skip to main content

Command Palette

Search for a command to run...

Ragnar Loader: The Sophisticated Toolkit Behind Monstrous Mantis

Published
4 min readView as Markdown
Ragnar Loader: The Sophisticated Toolkit Behind Monstrous Mantis
F

PT FPT Metrodata Indonesia (FMI) is a joint venture between FPT IS and Metrodata Electronics, focusing on providing Cybersecurity-as-a-Service—including SOC, managed security, professional services, consulting, and threat intelligence—to support Indonesia’s rapidly growing digital economy. FMI is expanding into AI and cloud GPU services to deliver innovative protection and solutions for enterprises. Learn more at https://fmisec.com.

Summary

CRIL came across a blog published by Prodaft Ragnar Loader, also known as the Sardonic Backdoor. This highly advanced malware toolkit has been used by the Monstrous Mantis ransomware group (also called Ragnar Locker) since 2020. This sophisticated framework enables persistent access to compromised systems, supporting targeted cyberattacks against various organizations.

It employs advanced techniques such as obfuscated PowerShell scripts, RC4 and Base64 decryption, process injection, and Remote Desktop Protocol (RDP) manipulation. Additionally, it utilizes robust persistence strategies, including WMI filters and scheduled tasks, while leveraging complex obfuscation and dynamic decryption methods to evade detection.

Technical Details

Ragnar Loader is a sophisticated malware framework used to infiltrate and maintain persistence within target systems. It features advanced obfuscation, encryption, and anti-analysis techniques, including PowerShell-based payloads, RC4 and Base64 decryption, process injection, token manipulation, and lateral movement capabilities. The toolkit includes PowerShell scripts for remote desktop functionality, pivoting, and remote code execution.

Node Initialization Script
Executes PowerShell commands to load the C# implementation of Ragnar Loader. It uses obfuscated scripts like RunScheduledTask.ps1, which decrypts and loads a .NET file using RC4 and Base64 decoding.

The .NET file used by Ragnar Loader is obfuscated with ConfuserEx techniques, including antitamper and anti-dumping measures, concealing its functions without a runtime dump. Analysts can bypass this by setting a breakpoint at the static constructor and dumping the file, but antidump measures corrupt the .NET file’s header, causing analysis tools to fail. By replacing the corrupted header with the original file’s header, the decrypted functions become visible. The .NET loader decrypts byte arrays using decompression and RC4 decryption, passing execution to selfmodifying shellcode. Anti-analysis methods like dynamic string decryption and control flow obfuscation are present but can be bypassed with tools like FLOSS and D810.

The backdoor launches within a new WmiPrvSE.exe process using a stolen token from lsass.exe, injecting the payload into a legitimate Windows process for stealth. It supports executing plugins through DLLs, running shellcode, and accepting C2 commands for tasks like file exfiltration and session management. Persistence is achieved through WMI filters in RunScheduledTask.ps1, scheduled tasks in RunScheduledTaskU.ps1, and direct assembly execution in RunScheduledTaskOnce.ps1.

Pivoting File (RunPvt.ps1)
Establishes connections for systems without internet access, enabling lateral movement through a proxy function.

Remote Desktop Protocol (RDP) File
The final component of the Ragnar Loader toolkit is a PowerShell script designed for Remote Desktop Protocol (RDP) functionality. Although this script is actively used by Ragnar Loader, it was not created by the threat actor (T1076 - Remote Desktop Protocol). The script extracts interactive (RDP or console) login information, filters relevant Windows event logs by Event ID, and generates a CSV report summarizing the findings.

Remote Code Execution Script (bc utility)
Enables command execution on compromised systems through a Linux-based ELF file. It supports a variety of operations, including file transfers, token manipulation, and module execution.

Persistence Mechanisms
● RunScheduledTask.ps1: Uses WMI filters to achieve fileless persistence by executing scheduled tasks based on system uptime.
● RunScheduledTaskU.ps1: Creates daily scheduled tasks that store the loader binary in the Windows registry.
● RunScheduledTaskOnce.ps1: Executes the loader through direct function calls.

Command and Control (C&C) Capabilities
Ragnar Loader communicates with its C&C server using various commands, including loading DLLs, executing shellcode, creating sessions, and exfiltrating data.

Recommendations

  • Deploy robust antivirus and endpoint detection and response (EDR) solutions to monitor and block suspicious activities. Regularly update security software to detect emerging threats and configure advanced threat protection to identify malware behaviors such as process injection and token manipulation.

  • Restrict lateral movement by segmenting critical systems from standard workstations and enforcing strict access controls. Use network firewalls, VLANs, and Zero Trust principles to minimize exposure if a device is compromised.

  • Keep all software, operating systems, and applications updated with the latest security patches. Implement regular, encrypted backups stored offline or in secure cloud storage to ensure data recovery in the event of a ransomware attack.

Conclusion

Ragnar Loader is a sophisticated malware framework that uses advanced obfuscation, encryption, and anti-analysis techniques to infiltrate and maintain persistence within target environments. It employs methods such as PowerShell-based payloads, RC4 and Base64 decryption, dynamic process injection, token manipulation, and lateral movement. The malware also uses string and control flow obfuscation to evade detection and dynamically resolves critical functions during execution.

More from this blog

F

FPT Metrodata Indonesia Cyber Security

683 posts

FPT Metrodata Indonesia (FMI) provides news, analysis & guides on cybersecurity and threat intelligence for Indonesia & Vietnam. Visit https://news.fmisec.com. FMI: https://fmisec.com