The emerging malicious software called SSLoad is being distributed using an unknown loader named PhantomLoader, as per investigations by cybersecurity company Intezer.
In a report released this week, security analysts Nicole Fishbein and Ryan Robinson mentioned that “The loader is integrated into a legal DLL, generally EDR or AV products, by modifying the file and utilizing self-altering methods to avoid identification.”
SSLoad, possibly available to other malicious actors through a Malware-as-a-Service (MaaS) approach due to its diverse dissemination techniques, penetrates systems via deceitful emails, carries out reconnaissance missions, and delivers various other forms of malware to targets.
Past reports from Palo Alto Networks Unit 42 and Securonix have indicated the utilization of SSLoad to launch Cobalt Strike, a legitimate simulation software often employed for post-exploitation activities. The malware has been detected since April 2024.
The sequences of attacks often involve an MSI installer which, upon activation, kickstarts the contamination process. Specifically, it triggers the activation of PhantomLoader, a 32-bit DLL coded in C/C++ that pretends to be a DLL component for an antivirus program known as 360 Total Security (“MenuEx.dll“).
The initial-stage malware is crafted to extract and launch the payload, a downloader DLL based on Rust that subsequently fetches the primary SSLoad payload from a remote server, the particulars of which are encoded in a designated Telegram channel controlled by the threat actor which serves as a dead drop resolver.
Also coded in Rust, the ultimate payload identifies and analyzes the compromised system and then transmits the details in the form of a JSON string to the command-and-control (C2) server, following which the server sends a command to download additional malware.
“SSLoad demonstrates its ability to gather intelligence, try to avoid detection, and transfer further payloads through different distribution practices and methodologies,” the researchers highlighted, mentioning that its dynamic string decryption and anti-debugging approaches “underscore its complexity and flexibility.”
This development coincides with observations of phishing operations disseminating remote access trojans like JScript RAT and Remcos RAT to enable continuous operation and execution of commands received from the server.
About Author
