Summary: Cybersecurity researchers have discovered an ongoing attack campaign called FROZEN#SHADOW that utilizes phishing emails to deliver malware called SSLoad. The campaign targets organizations in Asia, Europe, and the Americas and involves the deployment of Cobalt Strike and the ConnectWise ScreenConnect remote desktop software.
Threat Actor: SSLoad | SSLoad
Victim: Various organizations in Asia, Europe, and the Americas | FROZEN#SHADOW
Key Point :
- The attack campaign, codenamed FROZEN#SHADOW, utilizes phishing emails to deliver the SSLoad malware.
- SSLoad is designed to infiltrate systems, gather sensitive information, and transmit it back to its operators.
- The campaign also involves the deployment of Cobalt Strike and the ConnectWise ScreenConnect remote desktop software.
- The attack chains involve the use of phishing messages with links that lead to the retrieval of a JavaScript file, initiating the infection flow.
- Palo Alto Networks uncovered two different methods by which SSLoad is distributed: through website contact forms and macro-enabled Microsoft Word documents.
- The malware acts as a conduit for delivering Cobalt Strike and has been used to deliver another malware called Latrodectus.
- The obfuscated JavaScript file retrieves an MSI installer file and runs it, which contacts an attacker-controlled domain to fetch and execute the SSLoad malware payload.
- The initial reconnaissance phase allows for the deployment of Cobalt Strike, which is used to download and install ScreenConnect, giving the threat actors remote control over the host.
- The attackers attempt to acquire credentials and gather critical system details, scanning for credentials stored in files and other sensitive documents.
- The attackers pivot to other systems in the network, including the domain controller, and create their own domain administrator account to infiltrate the victim’s Windows domain.
- The disclosure of this attack campaign comes as Linux systems are being infected with an open-source remote access trojan called Pupy RAT.
Cybersecurity researchers have discovered an ongoing attack campaign that’s leveraging phishing emails to deliver malware called SSLoad.
The campaign, codenamed FROZEN#SHADOW by Securonix, also involves the deployment of Cobalt Strike and the ConnectWise ScreenConnect remote desktop software.
“SSLoad is designed to stealthily infiltrate systems, gather sensitive information and transmit its findings back to its operators,” security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a report shared with The Hacker News.
“Once inside the system, SSLoad deploys multiple backdoors and payloads to maintain persistence and avoid detection.”
Attack chains involve the use of phishing messages to randomly target organizations in Asia, Europe, and the Americas, with emails containing links that lead to the retrieval of a JavaScript file that kicks off the infection flow.
Earlier this month, Palo Alto Networks uncovered at least two different methods by which SSLoad is distributed, one which entails the use of website contact forms to embed booby-trapped URLs and another involving macro-enabled Microsoft Word documents.
The latter is also notable for the fact that malware acts as a conduit for delivering Cobalt Strike, while the former has been used to deliver a different malware called Latrodectus, a likely successor to IcedID.
The obfuscated JavaScript file (“out_czlrh.js”), when launched and run using wscript.exe, retrieves an MSI installer file (“slack.msi”) by connecting to a network share located at “wireoneinternet[.]info@80share” and runs it using msiexec.exe.
The MSI installer, for its part, contacts an attacker-controlled domain to fetch and execute the SSLoad malware payload using rundll32.exe, following which it beacons to a command-and-control (C2) server along with information about the compromised system.
The initial reconnaissance phase paves the way for Cobalt Strike, a legitimate adversary simulation software, which is then used to download and install ScreenConnect, thereby allowing the threat actors to remotely commandeer the host.
“With full access to the system the threat actors began attempting to acquire credentials and gather other critical system details,” the researchers said. “At this stage they started scanning the victim host for credentials stored in files as well as other potentially sensitive documents.”
The attackers have also been observed pivoting to other systems in the network, including the domain controller, ultimately infiltrating the victim’s Windows domain by creating their own domain administrator account.
“With this level of access, they could get into any connected machine within the domain,” the researchers said. “In the end, this is the worst case scenario for any organization as this level of persistence achieved by the attackers would be incredibly time consuming and costly to remediate.”
The disclosure comes as the AhnLab Security Intelligence Center (ASEC) revealed that Linux systems are being infected with an open-source remote access trojan called Pupy RAT.
Source: https://thehackernews.com/2024/04/researchers-detail-multistage-attack.html
“An interesting youtube video that may be related to the article above”