Cybersecurity researchers have found an ongoing assault marketing campaign that is leveraging phishing emails to ship malware referred to as SSLoad.
The marketing campaign, codenamed FROZEN#SHADOW by Securonix, additionally entails the deployment of Cobalt Strike and the ConnectWise ScreenConnect distant desktop software program.
“SSLoad is designed to stealthily infiltrate programs, collect delicate info and transmit its findings again to its operators,” safety researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov mentioned in a report shared with The Hacker Information.
“As soon as contained in the system, SSLoad deploys a number of backdoors and payloads to take care of persistence and keep away from detection.”
Assault chains contain the usage of phishing messages to randomly goal organizations in Asia, Europe, and the Americas, with emails containing hyperlinks that result in the retrieval of a JavaScript file that kicks off the an infection move.
Earlier this month, Palo Alto Networks uncovered at the very least two totally different strategies by which SSLoad is distributed, one which entails the use of web site contact types to embed booby-trapped URLs and one other involving macro-enabled Microsoft Phrase paperwork.
The latter can be notable for the truth that malware acts as a conduit for delivering Cobalt Strike, whereas the previous has been used to ship a special malware referred to as Latrodectus, a possible successor to IcedID.
The obfuscated JavaScript file (“out_czlrh.js”), when launched and run utilizing wscript.exe, retrieves an MSI installer file (“slack.msi”) by connecting to a community share positioned at “wireoneinternet[.]data@80share” and runs it utilizing msiexec.exe.
The MSI installer, for its half, contacts an attacker-controlled area to fetch and execute the SSLoad malware payload utilizing rundll32.exe, following which it beacons to a command-and-control (C2) server together with details about the compromised system.
The preliminary reconnaissance section paves the way in which for Cobalt Strike, a professional adversary simulation software program, which is then used to obtain and set up ScreenConnect, thereby permitting the risk actors to remotely commandeer the host.
“With full entry to the system the risk actors started making an attempt to amass credentials and collect different vital system particulars,” the researchers mentioned. “At this stage they began scanning the sufferer host for credentials saved in information in addition to different doubtlessly delicate paperwork.”
The attackers have additionally been noticed pivoting to different programs within the community, together with the area controller, in the end infiltrating the sufferer’s Home windows area by creating their very own area administrator account.
“With this degree of entry, they might get into any related machine inside the area,” the researchers mentioned. “In the long run, that is the worst case state of affairs for any group as this degree of persistence achieved by the attackers can be extremely time consuming and expensive to remediate.”
The disclosure comes because the AhnLab Safety Intelligence Middle (ASEC) revealed that Linux programs are being contaminated with an open-source distant entry trojan referred to as Pupy RAT.
