Lost in relocation: analysis of a new loader distributing CASTLESTEALER

MITRE Techniques

• [T1027 ] Obfuscated Files or Information – OXLOADER hid its logic with layered packing and code-hiding methods, making static analysis difficult (‘the loader uses several obfuscation layers… and low detection rates across static engines and sandbox detonations’).
• [T1027.010 ] Obfuscated Files or Information: Command Obfuscation – The malware used mixed Boolean-Arithmetic, opaque predicates, and function chunking to distort code structure (‘control-flow flattening (CFF), mixed Boolean-Arithmetic (MBA), opaque predicates, and function chunking’).
• [T1027.016 ] Obfuscated Files or Information: Junk Code Insertion – The sample included dummy CMake-related strings and misleading code to disguise its purpose (‘Dummy CMake-related strings appear to be passed as arguments’).
• [T1027.013 ] Obfuscated Files or Information: Embedded Payloads – The loader decrypted embedded regions and unpacked the next stage from within itself (‘decrypts a 28,233-byte region’ and ‘decrypts the loader’s embedded configuration and execution context’).
• [T1055 ] Process Injection – The payload was bootstrapped for in-memory execution through DonutLoader and RunPE, indicating injected execution flow (‘bootstrapped through DonutLoader’s RunPE() function’).
• [T1140 ] Deobfuscate/Decode Files or Information – OXLOADER decrypted strings and code at runtime using XOR-based routines and Chaskey-LTS decryption (‘decrypts various strings at runtime’ and ‘The payload is configured from DonutLoader… decrypts… using the Chaskey-LTS block cipher’).
• [T1068 ] Exploitation for Privilege Escalation – The batch script launched the next stage with elevated execution intent by using PowerShell and -Verb RunAs (‘launches it with -Verb RunAs to trigger a UAC elevation prompt’).
• [T1204.002 ] User Execution: Malicious File – The infection chain depended on the victim clicking a sponsored result and executing downloaded files (‘clicked a sponsored result’ and ‘downloads and executes OXLOADER’).
• [T1566.002 ] Phishing: Spearphishing Link – The lure used malicious Google Ads and redirector links to drive users to the payload (‘searches for an lts version of node.js and clicked a sponsored result’).
• [T1082 ] System Information Discovery – The loader checked CPU count, RAM, display refresh rate, geography, and language to decide whether to continue (‘at least 3 CPUs’, ‘at least 3 GB’, and ‘configured for the Russian language’).
• [T1497.001 ] Virtualization/Sandbox Evasion: System Checks – OXLOADER performed environment validation to avoid analysis platforms (‘avoid execution in sandbox environments’ and ‘values below 20 cause the loader to abort’).
• [T1622 ] Debugger Evasion – The malware attempted to defeat emulation and hooking by validating a specific network error result (‘defeat emulation/sandboxes that may hook or return a successful connection unconditionally’).
• [T1106 ] Native API – The loader used Windows APIs such as WNetAddConnection2W, GlobalMemoryStatusEx, GetUserGeoID, and GetUserDefaultUILanguage (‘uses… WNetAddConnection2W’ and ‘GetUserGeoID’).