Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
thnThe Hacker NewsTHN:A988DBBBCB9159BEA2238ADD4C142E31
HistoryJun 13, 2024 - 10:19 a.m.

Cybercriminals Employ PhantomLoader to Distribute SSLoad Malware

2024-06-1310:19:00
The Hacker News
thehackernews.com
3
ssload malware
phantomloader
cybersecurity firm
malware distribution
phishing emails
reconnaissance
malware-as-a-service
cobalt strike
msi installer
ransomware
rust-based downloader
command-and-control server
remote access trojans

7.5 High

AI Score

Confidence

Low

JSON

SSLoad Malware

The nascent malware known as SSLoad is being delivered by means of a previously undocumented loader called PhantomLoader, according to findings from cybersecurity firm Intezer.

“The loader is added to a legitimate DLL, usually EDR or AV products, by binary patching the file and employing self-modifying techniques to evade detection,” security researchers Nicole Fishbein and Ryan Robinson said in a report published this week.

SSLoad, likely offered to other threat actors under a Malware-as-a-Service (MaaS) model owing to its different delivery methods, infiltrates systems through phishing emails, conducts reconnaissance, and pushes additional types of malware down to victims.

Prior reporting from Palo Alto Networks Unit 42 and Securonix has revealed the use of SSLoad to deploy Cobalt Strike, a legitimate adversary simulation software often used for post-exploitation purposes. The malware has been detected since April 2024.

Cybersecurity

The attack chains typically involve the use of an MSI installer that, when launched, initiates the infection sequence. Specifically, it leads to the execution of PhantomLoader, a 32-bit DLL written in C/C++ that masquerades as a DLL module for an antivirus software called 360 Total Security (“MenuEx.dll”).

The first-stage malware is designed to extract and run the payload, a Rust-based downloader DLL that, in turn, retrieves the main SSLoad payload from a remote server, the details of which are encoded in an actor-controlled Telegram channel that servers as dead drop resolver.

Also written in Rust, the final payload fingerprints the compromised system and sends the information in the form of a JSON string to the command-and-control (C2) server, after which the server responds with a command to download more malware.

“SSLoad demonstrates its capability to gather reconnaissance, attempt to evade detection and deploy further payloads through various delivery methods and techniques,” the researchers said, adding its dynamic string decryption and anti-debugging measures “emphasize its complexity and adaptability.”

The development comes as phishing campaigns have also been observed disseminating remote access trojans such as JScript RAT and Remcos RAT to enable persistent operation and execution of commands received from the server.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

7.5 High

AI Score

Confidence

Low

JSON