Using antivirus components allows hackers to bypass detection and deploy malicious payloads.
Cybersecurity researchers from Intezer have discovered a new malware called SSLoad, which is distributed using a previously unknown PhantomLoader loader.
"The loader is added to legitimate DLLs, typically EDR or antivirus products, by binary patching the file and using self-modification techniques to bypass detection," security researchers Nicole Fishbein and Ryan Robinson said in a report published this week.
SSLoad is likely provided to other cybercriminals through a Malware-as-a-Service ( MaaS ) model due to the variety of delivery methods. The malware infiltrates systems through phishing emails, performs reconnaissance, and downloads additional types of malware onto victims' computers.
Previously, researchers from Palo Alto Networks Unit 42 and Securonix reported using SSLoad to distribute Cobalt Strike, a legitimate attack simulation software often used for post-exploitation purposes. The malware has been actively used since at least April 2024.
The attack usually begins with the use of an MSI installer, which, when launched, initiates an infection sequence. Specifically, it causes the execution of PhantomLoader, a 32-bit DLL written in C/C++ that masquerades as a DLL module for 360 Total Security antivirus software (“MenuEx.dll”).
The primary stage of the malware is designed to extract and run the payload, which is a Rust DLL, which in turn receives the main SSLoad payload from the remote server. The details of this operation are encoded in an attacker-controlled Telegram channel that serves as a resolver.
The final payload, also written in Rust, digitally fingerprints the compromised system and sends the information as a JSON string to the command and control server (C2), after which the server responds with a command to download additional malware.
“SSLoad demonstrates its ability to conduct reconnaissance, attempt to evade detection, and deploy additional payloads through a variety of delivery methods and techniques,” the researchers noted. They added that dynamic string decryption and anti-debugging measures highlight the sophistication and adaptability of this malware.
In addition, phishing campaigns have also seen the distribution of remote Trojans such as JScript RAT and Remcos RAT to ensure persistent access and execution of commands received from the server.
Cybersecurity researchers from Intezer have discovered a new malware called SSLoad, which is distributed using a previously unknown PhantomLoader loader.
"The loader is added to legitimate DLLs, typically EDR or antivirus products, by binary patching the file and using self-modification techniques to bypass detection," security researchers Nicole Fishbein and Ryan Robinson said in a report published this week.
SSLoad is likely provided to other cybercriminals through a Malware-as-a-Service ( MaaS ) model due to the variety of delivery methods. The malware infiltrates systems through phishing emails, performs reconnaissance, and downloads additional types of malware onto victims' computers.
Previously, researchers from Palo Alto Networks Unit 42 and Securonix reported using SSLoad to distribute Cobalt Strike, a legitimate attack simulation software often used for post-exploitation purposes. The malware has been actively used since at least April 2024.
The attack usually begins with the use of an MSI installer, which, when launched, initiates an infection sequence. Specifically, it causes the execution of PhantomLoader, a 32-bit DLL written in C/C++ that masquerades as a DLL module for 360 Total Security antivirus software (“MenuEx.dll”).
The primary stage of the malware is designed to extract and run the payload, which is a Rust DLL, which in turn receives the main SSLoad payload from the remote server. The details of this operation are encoded in an attacker-controlled Telegram channel that serves as a resolver.
The final payload, also written in Rust, digitally fingerprints the compromised system and sends the information as a JSON string to the command and control server (C2), after which the server responds with a command to download additional malware.
“SSLoad demonstrates its ability to conduct reconnaissance, attempt to evade detection, and deploy additional payloads through a variety of delivery methods and techniques,” the researchers noted. They added that dynamic string decryption and anti-debugging measures highlight the sophistication and adaptability of this malware.
In addition, phishing campaigns have also seen the distribution of remote Trojans such as JScript RAT and Remcos RAT to ensure persistent access and execution of commands received from the server.
