A malware loader known as Mintsloader is used to deliver PowerShell-based remote access Trojans called GhostWeaver.
“Mintsloader works through a multi-stage infection chain containing obfuscated JavaScript and Powershell scripts,” the Insikt group at Future said in a report shared with Hacker News.
“Malware employs sandbox and virtual machine avoidance technologies for domain generation algorithms (DGAs) and HTTP-based command-and-control (C2) communication.”
Distributed phishing and drive-by download campaigns have been detected wild since early 2023 for each orange cyber defense. Loaders have been observed to provide modified versions such as various subsequent payloads such as STEALC and Berkeley Open Infrastructure (BOINC) clients for network computing.
Malware is also used by threat actors who run e-Crime services such as Socgholish (aka FakeUpdates) and Landupdate808 (aka TAG-124) and is distributed via phishing emails targeting the industry, legal and energy sectors, as well as fake browser update prompts.
With a notable twist, recent attack waves employ an increasingly popular social engineering tactic called Clickfix to trick site visitors and copy and run malicious JavaScript and PowerShell code. Links to Clickfix pages will be distributed via spam email.
“Mintsloader only functions as a loader without supplemental features, but its main strength lies in its sandbox and virtual machine avoidance technology, as well as its DGA implementation that derives the C2 domain based on the date it was run,” said Future, recorded.
These features, coupled with obfuscation techniques, can prevent threat actors from analyzing and complicate detection efforts. The main responsibility of the malware is to use PowerShell scripts to download the next stage payload from the DGA domain via HTTP.
GhostWeaver is designed to maintain persistent communication with C2 servers, generate DGA domains based on fixed seed algorithms based on the number of weeks and years, steal browser data, and provide additional payloads in the form of plugins that can manipulate HTML content, according to a TRAC Labs report at the beginning of February of this year.
“In particular, GhostWeaver can deploy Mintsloader as an additional payload via the sendPlugin command. Communication between GhostWeaver and its command and control (C2) servers is protected via TLS encryption using obfuscated X.509 certificates embedded directly in PowerShell.
The disclosure comes when Kroll reveals that he has revealed attempts made by threat actors to leverage Clickfix to ensure initial access through an ongoing campaign that leverages Clickfix.
Source link
