Tuesday, June 25, 2024

SSLoad Malware Employs MSI Installer To Kick-Start Delivery Chain

Malware distributors use MSI installers as Windows OS already trusts them to run with administrative rights by bypassing security controls.

For this reason, MSI files are a convenient means of spreading ransomware, spyware, and other malware that can be passed off as genuine software installations.

Cybersecurity researchers at Intezer recently discovered that SSLoad malware employs MSI installers to kick-start the delivery chain.

SSLoad Malware Employs MSI Installer

System infiltration, information gathering, and payload delivery are some of the operations in which SSLoad, a silent malware, is engaged.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

An active campaign using SSLoad recently involved a decoy Word document carrying an SSLoad DLL, which executed Cobalt Strike, and a phishing email leading to a fake Azure page that downloaded a JavaScript script as well as an MSI installer for loading the SSLoad payload.

Since April 2024, SSLoad has been targeting victims, and its multiple delivery methods hint at it being used for MaaS purposes, consequently showing how versatile it can be.

The researchers analyzed an MSI installer that initiates a delivery chain with multiple loaders, eventually deploying the final SSLoad payload.

The first PhantomLoader is a 32-bit C/C++ DLL using self-modifying techniques and XOR decryption to crack the next loader stage.

This second loader loads the SSLoad payload, a 32-bit Rust DLL. SSLoad decrypts a Telegram channel URL used as a dead drop to get the command-and-control server address.

SSLoad Telegram channel (Source – Intezer)

The C2 decoder decrypts the C2 address and user agent and sends an HTTP GET request to download the next payload stage from the C2 server.

This SSLoad variant uses a custom method to decrypt strings with the RC4 algorithm. Each string is encrypted with its own distinct key stored alongside it. 

The key is derived from the encoded blob’s first 6 and last 7 bytes. After calculating the encrypted string’s length, it is Base64 decoded and decrypted with RC4 using the derived key, extracting the Telegram channel URL. 

The payload is another Rust file that creates a mutex for anti-analysis, checks for debugging, dynamically loads DLLs, and derives rolling XOR keys through arithmetic operations to decode strings uniquely.

Besides this, it uses RtlGenRandom for unique folder naming, resolves library calls dynamically by hashing module and function names, and employs common malware techniques like manipulating the PEB for evasion.

The JSON fingerprint is sent to the C2 using HTTP POST, and Load makes an HTTP request containing the host ID.

The client checks for available tasks by sending a post request with a unique SSLoad host identifier.

Based on task availability, C2 responds with an encrypted job structure in RC4 and base64 encoded format, with a command (only “exe” is currently used for downloading payloads) and arguments.

It also demonstrates how complex it can be as shown by its use of Rust downloader, which is made up of dynamic string decryption and a new loader that includes an anti-debugging mechanism in place.

To combat such intricate malware campaigns effectively, continued monitoring and advanced threat detection are required.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo 


Latest articles

Hackers Attacking Windows IIS Server to Upload Web Shells

Windows IIS Servers often host critical web applications and services that provide a gateway...

WikiLeaks Founder Julian Assange Released in Stunning Deal with U.S.

WikiLeaks founder Julian Assange has been released from prison after reaching a deal with...

Four Members of FIN9 Hackers Charged for Attacking U.S. Companies

Four Vietnamese nationals have been charged for their involvement in a series of computer...

BREAKING: NHS England’s Synnovis Hit by Massive Cyber Attack

In a shocking development, the NHS has revealed that it was the victim of...

Threat Actor Claiming a 0-day in Linux LPE Via GRUB bootloader

A new threat actor has emerged, claiming a zero-day vulnerability in the Linux GRUB...

LockBit Ransomware Group Claims Hack of US Federal Reserve

The notorious LockBit ransomware group has claimed responsibility for hacking the U.S. Federal Reserve,...

Microsoft Power BI Vulnerability Let Attackers Access Organizations Sensitive Data

A vulnerability in Microsoft Power BI allows unauthorized users to access sensitive data underlying...
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles