SSLoad Malware Employs MSI Installer To Kick-Start Delivery Chain

Malware distributors use MSI installers as Windows OS already trusts them to run with administrative rights by bypassing security controls.

For this reason, MSI files are a convenient means of spreading ransomware, spyware, and other malware that can be passed off as genuine software installations.

Cybersecurity researchers at Intezer recently discovered that SSLoad malware employs MSI installers to kick-start the delivery chain.

SSLoad Malware Employs MSI Installer

System infiltration, information gathering, and payload delivery are some of the operations in which SSLoad, a silent malware, is engaged.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

An active campaign using SSLoad recently involved a decoy Word document carrying an SSLoad DLL, which executed Cobalt Strike, and a phishing email leading to a fake Azure page that downloaded a JavaScript script as well as an MSI installer for loading the SSLoad payload.

Since April 2024, SSLoad has been targeting victims, and its multiple delivery methods hint at it being used for MaaS purposes, consequently showing how versatile it can be.

The researchers analyzed an MSI installer that initiates a delivery chain with multiple loaders, eventually deploying the final SSLoad payload.

The first PhantomLoader is a 32-bit C/C++ DLL using self-modifying techniques and XOR decryption to crack the next loader stage.

This second loader loads the SSLoad payload, a 32-bit Rust DLL. SSLoad decrypts a Telegram channel URL used as a dead drop to get the command-and-control server address.

The C2 decoder decrypts the C2 address and user agent and sends an HTTP GET request to download the next payload stage from the C2 server.

This SSLoad variant uses a custom method to decrypt strings with the RC4 algorithm. Each string is encrypted with its own distinct key stored alongside it. 

The key is derived from the encoded blob’s first 6 and last 7 bytes. After calculating the encrypted string’s length, it is Base64 decoded and decrypted with RC4 using the derived key, extracting the Telegram channel URL. 

The payload is another Rust file that creates a mutex for anti-analysis, checks for debugging, dynamically loads DLLs, and derives rolling XOR keys through arithmetic operations to decode strings uniquely.

Besides this, it uses RtlGenRandom for unique folder naming, resolves library calls dynamically by hashing module and function names, and employs common malware techniques like manipulating the PEB for evasion.

The JSON fingerprint is sent to the C2 using HTTP POST, and Load makes an HTTP request containing the host ID.

The client checks for available tasks by sending a post request with a unique SSLoad host identifier.

Based on task availability, C2 responds with an encrypted job structure in RC4 and base64 encoded format, with a command (only “exe” is currently used for downloading payloads) and arguments.

It also demonstrates how complex it can be as shown by its use of Rust downloader, which is made up of dynamic string decryption and a new loader that includes an anti-debugging mechanism in place.

To combat such intricate malware campaigns effectively, continued monitoring and advanced threat detection are required.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo