Article Details
Scrape Timestamp (UTC): 2024-06-13 10:24:25.857
Source: https://thehackernews.com/2024/06/cybercriminals-employ-phantomloader-to.html
Original Article Text
Click to Toggle View
Cybercriminals Employ PhantomLoader to Distribute SSLoad Malware. The nascent malware known as SSLoad is being delivered by means of a previously undocumented loader called PhantomLoader, according to findings from cybersecurity firm Intezer. "The loader is added to a legitimate DLL, usually EDR or AV products, by binary patching the file and employing self-modifying techniques to evade detection," security researchers Nicole Fishbein and Ryan Robinson said in a report published this week. SSLoad, likely offered to other threat actors under a Malware-as-a-Service (MaaS) model owing to its different delivery methods, infiltrates systems through phishing emails, conducts reconnaissance, and pushes additional types of malware down to victims. Prior reporting from Palo Alto Networks Unit 42 and Securonix has revealed the use of SSLoad to deploy Cobalt Strike, a legitimate adversary simulation software often used for post-exploitation purposes. The malware has been detected since April 2024. The attack chains typically involve the use of an MSI installer that, when launched, initiates the infection sequence. Specifically, it leads to the execution of PhantomLoader, a 32-bit DLL written in C/C++ that masquerades as a DLL module for an antivirus software called 360 Total Security ("MenuEx.dll"). The first-stage malware is designed to extract and run the payload, a Rust-based downloader DLL that, in turn, retrieves the main SSLoad payload from a remote server, the details of which are encoded in an actor-controlled Telegram channel that servers as dead drop resolver. Also written in Rust, the final payload fingerprints the compromised system and sends the information in the form of a JSON string to the command-and-control (C2) server, after which the server responds with a command to download more malware. "SSLoad demonstrates its capability to gather reconnaissance, attempt to evade detection and deploy further payloads through various delivery methods and techniques," the researchers said, adding its dynamic string decryption and anti-debugging measures "emphasize its complexity and adaptability." The development comes as phishing campaigns have also been observed disseminating remote access trojans such as JScript RAT and Remcos RAT to enable persistent operation and execution of commands received from the server. Continuous Attack Surface Discovery & Penetration Testing Continuously discover, prioritize, & mitigate exposures with evidence-backed ASM, Pentesting, and Red Teaming.
Daily Brief Summary
The SSLoad malware is distributed using PhantomLoader, a new type of loader that employs binary patching and self-modifying code to evade detection in legitimate software.
Researchers identified that PhantomLoader compromises systems by masquerading as a DLL file for antivirus products, specifically 360 Total Security.
SSLoad is utilized in phishing campaigns to perform initial reconnaissance and subsequently download additional malware payloads.
The malware operates under a Malware-as-a-Service model, suggesting it is available for use by various threat actors.
SSLoad has capabilities for system fingerprinting and sending gathered data to a command-and-control server, which then further instructs the malware to deploy more malicious content.
The use of a Telegram channel as a dead drop resolver highlights advanced tactics for remote command and control communication.
SSLoad incorporates sophisticated evasion techniques including dynamic string decryption and anti-debugging measures, indicating a high level of complexity and adaptability in its operations.
Aside from SSLoad, other types of malware like JScript RAT and Remcos RAT have also been noted as part of phishing efforts aiming for long-term access and control over compromised systems.