The nascent malware generally known as SSLoad is being delivered by the use of a beforehand undocumented loader known as PhantomLoader, in line with findings from cybersecurity agency Intezer.
“The loader is added to a legitimate DLL, usually EDR or AV products, by binary patching the file and employing self-modifying techniques to evade detection,” safety researchers Nicole Fishbein and Ryan Robinson stated in a report printed this week.
SSLoad, possible provided to different risk actors below a Malware-as-a-Service (MaaS) mannequin owing to its completely different supply strategies, infiltrates techniques via phishing emails, conducts reconnaissance, and pushes extra forms of malware right down to victims.
Prior reporting from Palo Alto Networks Unit 42 and Securonix has revealed the usage of SSLoad to deploy Cobalt Strike, a authentic adversary simulation software program typically used for post-exploitation functions. The malware has been detected since April 2024.
The assault chains usually contain the usage of an MSI installer that, when launched, initiates the an infection sequence. Particularly, it results in the execution of PhantomLoader, a 32-bit DLL written in C/C++ that masquerades as a DLL module for an antivirus software program known as 360 Complete Safety (“MenuEx.dll“).
The primary-stage malware is designed to extract and run the payload, a Rust-based downloader DLL that, in flip, retrieves the principle SSLoad payload from a distant server, the main points of that are encoded in an actor-controlled Telegram channel that servers as useless drop resolver.
Additionally written in Rust, the ultimate payload fingerprints the compromised system and sends the knowledge within the type of a JSON string to the command-and-control (C2) server, after which the server responds with a command to obtain extra malware.
“SSLoad demonstrates its capability to gather reconnaissance, attempt to evade detection and deploy further payloads through various delivery methods and techniques,” the researchers stated, including its dynamic string decryption and anti-debugging measures “emphasize its complexity and adaptability.”
The event comes as phishing campaigns have additionally been noticed disseminating distant entry trojans comparable to JScript RAT and Remcos RAT to allow persistent operation and execution of instructions obtained from the server.
