DeceptiveMoth Loader Malware Spreads Extensively Through Unintentional Download Attacks

July 03, 2024Media RoomMalware / Search Engine Optimization Corruption

The loader-as-a-service (LaaS) called DeceptiveMoth has emerged as one of the most prevalent loader malware lineages dispersed using the unintentional download method this year, revelations from Sekoia show.

“DeceptiveMoth mainly focuses on fetching and executing the successive-stage load, like IcedID, Lumma, RedLine, SmokeLoader, SectopRAT, and Ursnif,” the firm stated in an analysis on Tuesday.

Unintentional assaults involve employing techniques such as search engine optimization (SEO) corruption, malvertising, and shady code injections into compromised sites to lure users into downloading fraudulent software installers or browser updates.

The adoption of malware loaders in recent years aligns with the surge in employing landing pages mimicking legitimate software websites by presenting them as authentic installers. This connects with the broader notion that phishing and psychological manipulation remain the primary methods used by cyber attackers to gain initial access.

DeceptiveMoth, also recognized as EugenLoader and PaykLoader, has been presented to other online criminals under a LaaS subscription scheme on secretive forums by a Russian-speaking criminal identified as Eugenfest (also known as Payk_34) since at least December 2022.

The loader is crafted to evade security mechanisms and offers clients choices to produce builds utilizing patterns to camouflage authentic software and to monitor installations over time through a management interface.

Whereas earlier versions utilized an MSI structure for the malware constructions, recent updates seen since September 2023 have moved to an MSIX structure and appended a digital certification to the installer bearing a valid license to avoid Microsoft SmartScreen safeguards.

The malware is on sale for $1,000 per week and $2,500 monthly for the MSI layout, $1,500 weekly and $4,000 monthly for the MSIX layout, and $1,800 weekly and $5,000 monthly for the amalgamated MSI and license bundle.

Sekoia mentioned different activity groups spreading DeceptiveMoth through three main methodologies: Counterfeiting popular software via deceitful Google ads, fake browser updates through hacked sites, and psychological manipulation plots on social networks. This encompasses operations likely tied to the FIN7 squad, Nitrogen, and BATLOADER.

“Besides hosting payloads, DeceptiveMoth [command-and-control] servers in all probability filter traffic based on characteristics like the User-Agent value, the IP address, and the location,” Sekoia remarked. “This allows the dissemination of the malware to particular targets.”

This disclosure coincides with the AhnLab Security Intelligence Center (ASEC) outlining a malware campaign distributing another loader named DBatLoader (alias ModiLoader and NatsoLoader) through invoice-themed phishing emails.

It follows the identification of infection chains spreading Hijack Loader (also known as DOILoader and IDAT Loader) through pirated movie download sites to eventually introduce the Lumma data thief.

“This IDATLOADER campaign uses a complex infection sequence incorporating multiple layers of direct code-based obfuscation alongside innovative tactics to further mask the maliciousness of the code,” Kroll researcher Dave Truman explained.

“The infection scheme relied on utilizing Microsoft’s mshta.exe to execute code buried deeply within a specially crafted file posing as a PGP Secret Key. The campaign employed new adaptations of conventional techniques and extensive obfuscation to conceal the malignant code from detection.”

Phishing strategies have also been noticed disseminating Remcos RAT, with a new Eastern European threat actor known as Unfurling Hemlock utilizing loaders and emails to distribute binary files acting as a “cluster bomb” to disperse various malware variants simultaneously.

“The malware being disseminated through this technique predominantly consists of stealers, like RedLine, RisePro, and Mystic Stealer, and loaders like Amadey and SmokeLoader,” Outpost24 researcher Hector Garcia indicated.

“A majority of the initial stages were discovered being dispatched through email to various enterprises or being delivered from external sites reached by external loaders.”