The nascent malware known as SSLoad is currently being shipped by means of a earlier undocumented loader known as PhantomLoader, according to conclusions from cybersecurity firm Intezer.
“The loader is included to a reputable DLL, ordinarily EDR or AV items, by binary patching the file and employing self-modifying procedures to evade detection,” security researchers Nicole Fishbein and Ryan Robinson reported in a report released this week.
SSLoad, most likely available to other menace actors below a Malware-as-a-Services (MaaS) model owing to its diverse shipping and delivery methods, infiltrates devices by means of phishing email messages, conducts reconnaissance, and pushes more varieties of malware down to victims.
Prior reporting from Palo Alto Networks Unit 42 and Securonix has uncovered the use of SSLoad to deploy Cobalt Strike, a reputable adversary simulation software frequently employed for publish-exploitation uses. The malware has been detected given that April 2024.
The attack chains generally contain the use of an MSI installer that, when introduced, initiates the an infection sequence. Precisely, it prospects to the execution of PhantomLoader, a 32-little bit DLL penned in C/C++ that masquerades as a DLL module for an antivirus software program named 360 Whole Security (“MenuEx.dll”).
The initially-stage malware is developed to extract and run the payload, a Rust-primarily based downloader DLL that, in switch, retrieves the principal SSLoad payload from a distant server, the particulars of which are encoded in an actor-controlled Telegram channel that servers as dead drop resolver.
Also written in Rust, the final payload fingerprints the compromised procedure and sends the info in the type of a JSON string to the command-and-control (C2) server, right after which the server responds with a command to down load a lot more malware.
“SSLoad demonstrates its functionality to assemble reconnaissance, endeavor to evade detection and deploy even further payloads via many shipping and delivery strategies and tactics,” the researchers claimed, including its dynamic string decryption and anti-debugging actions “emphasize its complexity and adaptability.”
The progress will come as phishing strategies have also been observed disseminating remote access trojans such as JScript RAT and Remcos RAT to enable persistent procedure and execution of instructions acquired from the server.
Discovered this write-up attention-grabbing? Follow us on Twitter and LinkedIn to read through additional exceptional content we publish.
Some parts of this article are sourced from:
thehackernews.com
Ukraine Police Arrest Suspect Linked to LockBit and Conti Ransomware Groups