Cybercriminals Employ PhantomLoader to Distribute SSLoad Malware

Jun 13, 2024NewsroomMalware / Cyber Attack

The nascent malware known as SSLoad is being delivered by means of a previously undocumented loader called PhantomLoader, according to findings from cybersecurity firm Intezer.

“The loader is added to a legitimate DLL, usually EDR or AV products, by binary patching the file and employing self-modifying techniques to evade detection,” security researchers Nicole Fishbein and Ryan Robinson said in a report published this week.

SSLoad, likely offered to other threat actors under a Malware-as-a-Service (MaaS) model owing to its different delivery methods, infiltrates systems through phishing emails, conducts reconnaissance, and pushes additional types of malware down to victims.

Prior reporting from Palo Alto Networks Unit 42 and Securonix has revealed the use of SSLoad to deploy Cobalt Strike, a legitimate adversary simulation software often used for post-exploitation purposes. The malware has been detected since April 2024.

Cybersecurity

The attack chains typically involve the use of an MSI installer that, when launched, initiates the infection sequence. Specifically, it leads to the execution of PhantomLoader, a 32-bit DLL written in C/C++ that masquerades as a DLL module for an antivirus software called 360 Total Security (“MenuEx.dll“).

The first-stage malware is designed to extract and run the payload, a Rust-based downloader DLL that, in turn, retrieves the main SSLoad payload from a remote server, the details of which are encoded in an actor-controlled Telegram channel that servers as dead drop resolver.

Also written in Rust, the final payload fingerprints the compromised system and sends the information in the form of a JSON string to the command-and-control (C2) server, after which the server responds with a command to download more malware.

“SSLoad demonstrates its capability to gather reconnaissance, attempt to evade detection and deploy further payloads through various delivery methods and techniques,” the researchers said, adding its dynamic string decryption and anti-debugging measures “emphasize its complexity and adaptability.”

The development comes as phishing campaigns have also been observed disseminating remote access trojans such as JScript RAT and Remcos RAT to enable persistent operation and execution of commands received from the server.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.