Emergent malicious software, SSLoad, is now being propagated via an uncharted loader termed PhantomLoader, as elucidated by cybersecurity experts at Intezer.
“The loader integrates into a legitimate DLL, typically found within EDR or AV products, through binary patching and employs self-altering techniques to avoid detection,” security analysts Nicole Fishbein and Ryan Robinson disclosed in a recent report.
SSLoad, likely marketed to other cyber miscreants under a Malware-as-a-Service (MaaS) framework due to its varied dissemination tactics, penetrates systems via phishing emails, performs reconnaissance, and deploys additional malware strains to the compromised hosts.
Previous findings from Palo Alto Networks Unit 42 and Securonix have highlighted SSLoad’s use in deploying Cobalt Strike, a legitimate adversary simulation tool often utilized for post-exploitation activities. This malware has been observed in the wild since April 2024.
The attack sequence typically commences with an MSI installer, which, once executed, triggers the infection process. This process initiates PhantomLoader, a 32-bit DLL coded in C/C++ that impersonates a module for an antivirus application known as 360 Total Security (“MenuEx.dll”).
The initial stage of the malware is engineered to extract and execute the payload, a Rust-based downloader DLL that subsequently fetches the primary SSLoad payload from a remote server. The server details are encoded within an actor-controlled Telegram channel functioning as a dead drop resolver.
Also crafted in Rust, the ultimate payload fingerprints the compromised system and transmits the data as a JSON string to the command-and-control (C2) server. The server then responds with directives to download further malware.
“SSLoad exhibits the ability to perform reconnaissance, elude detection, and deploy additional payloads through various delivery mechanisms and techniques,” the researchers noted, underscoring its dynamic string decryption and anti-debugging features, which “highlight its complexity and adaptability.”
This development occurs amidst a backdrop of phishing campaigns that have been observed spreading remote access trojans such as JScript RAT and Remcos RAT, facilitating persistent operation and execution of commands from the server.