QuirkyLoader is a new loader observed since November 2024 that delivers final payloads for multiple malware familiesโincluding Agent Tesla, AsyncRAT, FormBook, MassLogger, Remcos, Rhadamanthys, and Snake Keyloggerโvia malicious email archives. The infection chain uses a .NET DLL loader with ahead-of-time compilation, decrypts and injects the final payload into a target process through DLL side-loading and process hollowing, with campaigns noted in Taiwan (targeting Nusoft Taiwan) and Mexico delivering Remcos/AsyncRAT or Snake Keylogger. #QuirkyLoader #AgentTesla #AsyncRAT #FormBook #MassLogger #Remcos #Rhadamanthys #SnakeKeylogger #NusoftTaiwan
Keypoints
- QuirkyLoader delivers final payloads for multiple malware families via malicious email archives, initiating infection through spam attachments.
- The loader is a .NET-based DLL compiled with ahead-of-time (AOT) compilation, designed to appear as native code and decrypt and inject the final payload.
- It uses DLL side-loading and process hollowing to inject the payload into targeted processes such as AddInProcess32.exe, InstallUtil.exe, or aspnet_wp.exe.
- The encrypted payload is decrypted at runtime, with Speck-128 in CTR mode observed in at least one variant, and the loader resolves Win32 APIs dynamically to evade detection.
- Campaigns have been observed in Taiwan targeting Nusoft Taiwan and in Mexico delivering Remcos/AsyncRAT or Snake Keylogger, indicating geographically distributed operations.
MITRE Techniques
- [T1566.001] Spearphishing Attachment โ The infection chain begins with a malicious archive file attached to a spam email. ‘The QuirkyLoader infection chain begins when a user opens a malicious archive file attached to a spam email.’
- [T1574.001] DLL Side-Loading โ The actor uses DLL side-loading, a technique where launching the legitimate executable also loads the malicious DLL. ‘The actor uses DLL side-loading, a technique where launching the legitimate executable also loads the malicious DLL.’
- [T1055.012] Process Hollowing โ It accomplishes this by performing process hollowing on one of the following processes: AddInProcess32.exe, InstallUtil.exe or aspnet_wp.exe. ‘It accomplishes this by performing process hollowing on one of the following processes: AddInProcess32.exe, InstallUtil.exe or aspnet_wp.exe.’
- [T1140] Deobfuscate/Decode Files or Data โ The encrypted payload is decrypted at runtime, with Speck-128 in CTR mode observed in at least one variant. ‘The encrypted payload is decrypted at runtime, with Speck-128 in CTR mode observed in at least one variant.’
- [T1027] Obfuscated/Compressed Files and Information โ The payload is encrypted and disguised as a DLL. ‘an encrypted payload disguised as a DLL.’
Indicators of Compromise
- [Domain] Domain used for malspam campaign โ catherinereynolds.info, mail.catherinereynolds.info
- [IP Address] IP address information related to malspam distribution โ 157.66.225.11, 103.75.77.90, and other 1 items
- [SHA-256 hash] File hashes associated with QuirkyLoader components โ 011257eb766f2539828bdd45f8aa4ce3c4048ac2699d988329783290a7b4a0d3, 0ea3a55141405ee0e2dfbf333de01fe93c12cf34555550e4f7bb3fdec2a7673b
- [File name] Target and related executable names used in the infection chain โ AddInProcess32.exe, InstallUtil.exe, and other 1 items
Read more: https://www.ibm.com/think/x-force/ibm-x-force-threat-analysis-quirkyloader