The nascent malware referred to as SSLoad is being delivered by the use of a up to now undocumented loader known as PhantomLoader, in keeping with findings from cybersecurity company Intezer.
“The loader is added to a sound DLL, typically EDR or AV merchandise, through binary patching the record and using self-modifying ways to evade detection,” safety researchers Nicole Fishbein and Ryan Robinson mentioned in a document revealed this week.
SSLoad, most probably introduced to different danger actors underneath a Malware-as-a-Carrier (MaaS) fashion owing to its other supply strategies, infiltrates methods via phishing emails, conducts reconnaissance, and pushes further kinds of malware all the way down to sufferers.
Prior reporting from Palo Alto Networks Unit 42 and Securonix has published the usage of SSLoad to deploy Cobalt Strike, a sound adversary simulation tool ceaselessly used for post-exploitation functions. The malware has been detected since April 2024.
The assault chains generally contain the usage of an MSI installer that, when introduced, initiates the an infection collection. Particularly, it ends up in the execution of PhantomLoader, a 32-bit DLL written in C/C++ that masquerades as a DLL module for an antivirus tool known as 360 General Safety (“MenuEx.dll”).
The primary-stage malware is designed to extract and run the payload, a Rust-based downloader DLL that, in flip, retrieves the primary SSLoad payload from a faraway server, the main points of that are encoded in an actor-controlled Telegram channel that servers as useless drop resolver.
Additionally written in Rust, the general payload fingerprints the compromised device and sends the tips within the type of a JSON string to the command-and-control (C2) server, and then the server responds with a command to obtain extra malware.
“SSLoad demonstrates its capacity to assemble reconnaissance, try to evade detection and deploy additional payloads via more than a few supply strategies and methods,” the researchers mentioned, including its dynamic string decryption and anti-debugging measures “emphasize its complexity and suppleness.”
The improvement comes as phishing campaigns have additionally been seen disseminating faraway get right of entry to trojans similar to JScript RAT and Remcos RAT to permit continual operation and execution of instructions gained from the server.