SSLoad is a stealthy malware campaign that infiltrates systems via phishing, gathers reconnaissance, and delivers payloads through a modular loader chain, including a MaaS-enabled delivery variant. The analysis details loaders, payloads, and IOCs, highlighting its evolving capabilities and multiple delivery methods. #SSLoad #PhantomLoader #CobaltStrike #MaaS #Unit42 #Secournix #Azure #360TotalSecurity #Telegram #Windows
Keypoints
- Phishing-based delivery with two main paths: a decoy Word document delivering an SSLoad DLL that ultimately runs Cobalt Strike, and a phishing email leading to a fake Azure page that downloads a JavaScript script which retrieves an MSI installer carrying SSLoad.
- SSLoad activity has been observed since April 2024, with diverse delivery variants suggesting Malware-as-a-Service (MaaS) usage and ongoing evolution.
- The MSI installer initiates a delivery chain that includes multiple loaders before deploying the final payload.
- The first-stage loader, PhantomLoader, patches a legitimate DLL (MenuEx.dll) and uses self-modifying code to evade detection, including disguising itself and reusing code from antivirus software.
- PhantomLoader employs XOR-based decryption with a fixed stack key to decrypt the payloads and uses per-string RC4-like decoding to cloak strings and commands.
- The final payload, SSLoad, is a Rust-based downloader that uses a Telegram dead-drop channel for initial data and then communicates with a C2 over RC4-encrypted messages, including a registration beacon and tasking loop for commands like downloading additional payloads.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment – “One attack vector involves a decoy Word document that delivers an SSLoad DLL, which eventually executes Cobalt Strike.”
- [T1566.002] Phishing: Spearphishing Link – “The other attack utilizes a phishing email that leads to a fake Azure page, downloading a JavaScript script that ultimately downloads an MSI installer, which loads the SSLoad payload.”
- [T1036] Masquerading – “The loader is added to a legitimate DLL, usually EDR or AV products, by binary patching the file and employing self-modifying techniques to evade detection.”
- [T1027] Obfuscated/Compromised Data (Obfuscated/Compressed Data) – “payload is stored encrypted in the resource section… The decoding logic employs an XOR decryption method.”
- [T1105] Ingress Tool Transfer – “The argument that is a URL pointing to a server to download an additional payload.”
- [T1071.001] Web Protocols – “The Telegram channel is used as a dead drop host” and “C2 address… http://85[.]239.53.219/api/g”
- [T1497] Virtualization/Sandbox Evasion – “The malware will check the Process-Environment-Block (PEB) to see if the BeingDebugged flag is set, as an anti-debugging technique.”
Indicators of Compromise
- [File Hash] IOCs (files) – 90f1511223698f33a086337a6875db3b5d6fbcce06f3195cdd6a8efa90091750, 09ffc4188bf11bf059b616491fcb8a09a474901581f46ec7f2c350fbda4e1e1c, 73774861d946d62c2105fef4718683796cb77de7ed42edaec7affcee5eb0a0ee, 6aa3daefee979a0efbd30de15a1fc7c0d05a6e8e3f439d5af3982878c3901a1c, 265514c8b91b96062fd2960d52ee09d67ea081c56ebadd7a8661f479124133e9, 6329244cfb3480eae11070f1aa880bff2fd52b374e12ac37f1eacb6379c72b80
- [Network] 85.239.53[.]219 – C2 server address referenced in the SSLoad payload chain
- [Domain] t[.]me – Telegram dead-drop channel used for C2 coordination
- [URL] http://85[.]239.53.219/api/g – Decrypted C2 endpoint accessed by the SSLoad payload
Read more: https://intezer.com/blog/research/ssload-technical-malware-analysis/