MintsLoader is a sophisticated malicious loader first detected in 2024, frequently employed by various threat groups, notably TAG-124, to deliver secondary payloads including GhostWeaver and StealC. The malware utilizes multi-stage infection techniques, evasion strategies, and a DGA for command-and-control operations, complicating detection and response efforts. Affected: industrial sector, legal sector, energy sector, cybercriminal community
Keypoints :
- MintsLoader first observed in phishing and drive-by download campaigns in 2024.
- Employs second-stage payloads such as GhostWeaver, StealC, and a modified BOINC client.
- Uses obfuscated JavaScript and PowerShell scripts for infection chains.
- Extensively used by threat group TAG-124 (LandUpdate808).
- Deployment methods include phishing emails and compromised websites.
- Obfuscation techniques hinder static detection methods like YARA rules.
- DGA complicates maintenance of blocklists for C2 domains.
- Recorded Future’s intelligence aids in identifying MintsLoader samples and associated C2 domains.
MITRE Techniques :
- T1071.001 – Application Layer Protocol: MintsLoader uses HTTP for C2 communication, allowing it to exfiltrate data.
- T1045 – Multiple Command and Control: The use of DGA to generate C2 domains obfuscates its command and control infrastructure.
- T1203 – Exploitation for Client Execution: Utilizes social engineering through phishing emails and fake browser updates to execute JavaScript payloads.
- T1156 – API Hooking: Implements obfuscation and evasion through PowerShell scripts to bypass detection mechanisms.
Indicator of Compromise :
- [URL] http://gibuzuy37v2v[.]top/1.php?s=mints13