Keypoints
- Initial delivery via phishing emails with malicious Word documents containing encoded XML/JavaScript.
- Malicious macro decodes an XML-embedded JavaScript string, which base64-decodes and drops PhantomLoader as %TEMP%/app.com.
- PhantomLoader is binary-patched into a legitimate 360 Total Security module (seen as PatchUp.exe) and contains an encrypted code stub decrypted via XOR at runtime.
- The loader resolves kernel32 functions by hash, allocates memory, and decrypts/loads the SSLoad payload from the DLL’s .rsrc section into memory.
- SSLoad (Rust) uses anti-debugging (PEB BeingDebugged), anti-emulation (MpVmp32Entry export check), mutex creation, and layered string decryption to hide C2 details.
- SSLoad fingerprints the host (OS, username, hostname, arch, public IP) into a JSON object and performs RC4-secured communication after receiving a server-generated key and ID.
- IOC artifacts include Incident_Harassment.doc, %TEMP%/app.com, multiple MD5 hashes, and C2 IP 85.239.53.219; a YARA rule for detection is provided.
MITRE Techniques
- [T1071.001] Web Protocols – Used for C2 communication and beaconing to receive commands. Quote: (‘Establishes communication with a C2 server to receive commands.’)
- [T1059.001] Command and Scripting Interpreter (PowerShell) – Execution vector via document-embedded scripts/macros. Quote: (‘Malicious macros in Word documents execute embedded scripts.’)
- [T1547.001] Boot or Logon Autostart Execution – Persistence-related behavior noted (article references mutex creation as part of its lifecycle). Quote: (‘Creates a mutex to prevent multiple instances of SSLoad.’)
- [T1041] Exfiltration Over C2 Channel – Host fingerprinting data is packaged and sent to the C2 server. Quote: (‘Collects system information and sends it to the C2 server.’)
Indicators of Compromise
- [File names/paths] Drop and staging – Incident_Harassment.doc, %TEMP%/app.com
- [File hashes (MD5)] Samples observed – EC7E26A81B6002C53854A1769AD427A6, bd3231011448b2d6a335032d11c12cad (and 1 more hash)
- [IP address] C2 infrastructure – 85.239.53.219
- [YARA rule] Detection signature – rule crime_phantom_loader_dll (includes multiple MD5s and strings targeting the patched DLL)
PhantomLoader’s execution begins when a malicious Word document runs an AutoClose macro that reads an encoded XML string from a form named “UserForm1.” That XML contains JavaScript which, once extracted and decoded (the author used CyberChef in analysis), base64-decodes the next-stage binary and writes it to %TEMP% as “app.com” before launching it. In sandbox traces the Word process (WINWORD.exe) spawns the staged process (app.com), confirming macro-driven execution and staged payload drop.
The loaded “app.com” is a PhantomLoader module masquerading as a 360 Total Security component (often PatchUp.exe) and appears to have been integrated into a legitimate DLL via binary patching. At runtime the loader locates an encrypted code stub in the .text section, XOR-decrypts it with a hardcoded key (an IDAPython script was used to reproduce this during analysis), then resolves kernel32 APIs by hashed lookups (VirtualAlloc, LoadLibraryA, GetProcAddress). Using those resolved functions it allocates memory and XOR-decrypts an embedded SSLoad payload stored in the .rsrc section (not via FindResourceA/LockResource but by offset), then loads and executes SSLoad directly in memory.
SSLoad (a Rust-based loader) performs multiple anti-analysis measures: it inspects the PEB BeingDebugged flag for anti-debugging, checks for an emulator-specific export (“MpVmp32Entry”) to detect sandbox emulation, creates a hardcoded-named mutex to enforce single instance execution, and generates a runtime folder in %APPDATA%/Microsoft using SystemFunction036. It decrypts C2 endpoints via layered string decryption, fingerprints the host (OS version, username, hostname, architecture, public IP) into a JSON object, then sends that data to the C2. The C2 replies with a base64-encoded RC4 key and an ID; subsequent communication uses empty HTTP POSTs containing only the server-provided ID while the implant enters a beaconing loop awaiting commands (e.g., “command”:”exe” with a URL to download and run next-stage payloads).
Read more: https://any.run/cybersecurity-blog/cybersecurity-blog/phantomloader-and-ssload-analysis/