June 13, 2024 at 06:48AM
Cybersecurity firm Intezer identified a new malware, SSLoad, distributed through a previously undocumented loader called PhantomLoader. SSLoad infiltrates systems through phishing emails and delivers additional malware. It has been observed deploying the legitimate adversary simulation software Cobalt Strike. The malware demonstrates sophisticated capabilities, including reconnaissance and dynamic string decryption. Phishing campaigns are also spreading remote access trojans.
From the meeting notes on Jun 13, 2024, it was reported that a nascent malware called SSLoad is being delivered through a previously undocumented loader dubbed PhantomLoader. According to cybersecurity firm Intezer, the loader is added to a legitimate DLL, typically EDR or AV products, through binary patching and self-modifying techniques to evade detection.
SSLoad, likely offered under a Malware-as-a-Service (MaaS) model, infiltrates systems via phishing emails, conducts reconnaissance, and deploys additional malware. Previous reports have revealed its use to deploy Cobalt Strike, a legitimate adversary simulation software often used for post-exploitation purposes. The attack chains typically involve the use of an MSI installer leading to the execution of PhantomLoader, which then retrieves the main SSLoad payload from a remote server.
Upon compromising a system, the SSLoad payload sends system information to a command-and-control (C2) server in the form of a JSON string and awaits further commands to download more malware. Its dynamic string decryption and anti-debugging measures emphasize its complexity and adaptability.
In addition, the notes mentioned phishing campaigns disseminating remote access trojans such as JScript RAT and Remcos RAT to enable persistent operation and execution of commands received from the server.
The meeting notes include an invitation to follow the organization on Twitter and LinkedIn for more exclusive content.