Researchers Detail Multistage Attack Hijacking Systems with SSLoad, Cobalt Strike
Cybersecurity researchers have discovered an ongoing attack campaign that’s leveraging phishing emails to deliver malware called SSLoad.
The campaign, codenamed FROZEN#SHADOW by Securonix, also involves the deployment of Cobalt Strike and the ConnectWise ScreenConnect remote desktop software.
“SSLoad is designed to stealthily infiltrate systems, gather sensitive information and transmit its findings back to its operators,” security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a report shared with The Hacker News.
“Once inside the system, SSLoad deploys multiple backdoors and payloads to maintain persistence and avoid detection.”
Attack chains involve the use of phishing messages to randomly target organizations in Asia, Europe, and the Americas, with emails containing links that lead to the retrieval of a JavaScript file that kicks off the infection flow.
Earlier this month, Palo Alto Networks uncovered at least two different methods by which SSLoad is distributed, one which entails the use of website contact forms to embed booby-trapped URLs and another involving macro-enabled Microsoft Word documents.
The latter is also notable for the fact that malware acts as a conduit for delivering Cobalt Strike, while the former has been used to deliver a different malware called Latrodectus, a likely successor to IcedID.
The obfuscated JavaScript file (“out_czlrh.js”), when launched and run using wscript.exe, retrieves an MSI installer file (“slack.msi”) by connecting to a network share located at “\\wireoneinternet[.]info@80\share\” and runs it using msiexec.exe.
The MSI installer, for its part, contacts an attacker-controlled domain to fetch and execute the SSLoad malware payload using rundll32.exe, following which it beacons to a command-and-control (C2) server along with information about the compromised system.
The initial reconnaissance phase paves the way for Cobalt Strike, a legitimate adversary simulation software, which is then used to download and install ScreenConnect, thereby allowing the threat actors to remotely commandeer the host.
“With full access to the system the threat actors began attempting to acquire credentials and gather other critical system details,” the researchers said. “At this stage they started scanning the victim host for credentials stored in files as well as other potentially sensitive documents.”
The attackers have also been observed pivoting to other systems in the network, including the domain controller, ultimately infiltrating the victim’s Windows domain by creating their own domain administrator account.
“With this level of access, they could get into any connected machine within the domain,” the researchers said. “In the end, this is the worst case scenario for any organization as this level of persistence achieved by the attackers would be incredibly time consuming and costly to remediate.”
The disclosure comes as the AhnLab Security Intelligence Center (ASEC) revealed that Linux systems are being infected with an open-source remote access trojan called Pupy RAT.