SSLoad Malware Employs MSI Installer To Kick-Start Delivery Chain

Malware distributors use MSI installers as Windows OS already trusts them to run with administrative rights by bypassing security controls.

For this reason, MSI files are a convenient means of spreading ransomware, spyware, and other malware that can be passed off as genuine software installations.

Cybersecurity researchers at Intezer recently discovered that SSLoad malware employs MSI installers to kick-start the delivery chain.

SSLoad Malware Employs MSI Installer

System infiltration, information gathering, and payload delivery are some of the operations in which SSLoad, a silent malware, is engaged.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

An active campaign using SSLoad recently involved a decoy Word document carrying an SSLoad DLL, which executed Cobalt Strike, and a phishing email leading to a fake Azure page that downloaded a JavaScript script as well as an MSI installer for loading the SSLoad payload.

Since April 2024, SSLoad has been targeting victims, and its multiple delivery methods hint at it being used for MaaS purposes, consequently showing how versatile it can be.

The researchers analyzed an MSI installer that initiates a delivery chain with multiple loaders, eventually deploying the final SSLoad payload.

The first PhantomLoader is a 32-bit C/C++ DLL using self-modifying techniques and XOR decryption to crack the next loader stage.

This second loader loads the SSLoad payload, a 32-bit Rust DLL. SSLoad decrypts a Telegram channel URL used as a dead drop to get the command-and-control server address.

SSLoad Telegram channel (Source – Intezer)

The C2 decoder decrypts the C2 address and user agent and sends an HTTP GET request to download the next payload stage from the C2 server.

This SSLoad variant uses a custom method to decrypt strings with the RC4 algorithm. Each string is encrypted with its own distinct key stored alongside it. 

The key is derived from the encoded blob’s first 6 and last 7 bytes. After calculating the encrypted string’s length, it is Base64 decoded and decrypted with RC4 using the derived key, extracting the Telegram channel URL. 

The payload is another Rust file that creates a mutex for anti-analysis, checks for debugging, dynamically loads DLLs, and derives rolling XOR keys through arithmetic operations to decode strings uniquely.

Besides this, it uses RtlGenRandom for unique folder naming, resolves library calls dynamically by hashing module and function names, and employs common malware techniques like manipulating the PEB for evasion.

The JSON fingerprint is sent to the C2 using HTTP POST, and Load makes an HTTP request containing the host ID.

The client checks for available tasks by sending a post request with a unique SSLoad host identifier.

Based on task availability, C2 responds with an encrypted job structure in RC4 and base64 encoded format, with a command (only “exe” is currently used for downloading payloads) and arguments.

It also demonstrates how complex it can be as shown by its use of Rust downloader, which is made up of dynamic string decryption and a new loader that includes an anti-debugging mechanism in place.

To combat such intricate malware campaigns effectively, continued monitoring and advanced threat detection are required.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo 

Tushar Subhra

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…

3 hours ago

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code execution…

3 hours ago

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…

3 hours ago

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…

3 hours ago

EU Targets Stark Industries in Cyberattack Sanctions Crackdown

The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…

7 hours ago

Venice.ai’s Unrestricted Access Sparks Concerns Over AI-Driven Cyber Threats

Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…

7 hours ago