SSLoad Malware
Security analysts have unearthed a persistent cyber assault using phishing emails to distribute a malware strain known as SSLoad. Dubbed FROZEN#SHADOW, this campaign employs the Cobalt Strike alongside ConnectWise ScreenConnect for remote desktop access.
SSLoad's primary objective is clandestine infiltration, data exfiltration, and surreptitious communication with its command center. Upon breach, SSLoad installs various backdoors and payloads to ensure long-term presence and evade detection.
Table of Contents
The Different Infection Vectors Utilized by Cybercriminals
Attack chains involve the utilization of phishing messages targeting organizations across Asia, Europe and the Americas. These emails contain links leading to JavaScript files, initiating the infection process.
Previous findings from researchers highlight two distinct distribution methods for SSLoad. One method utilizes website contact forms to embed malicious URLs, while the other employs macro-enabled Microsoft Word documents. Notably, the latter method facilitates the delivery of Cobalt Strike via malware, while the former distributes another malware variant known as Latrodectus, potentially succeeding IcedID.
How Does the SSLoad Attack Operate?
The obscured JavaScript file ('out_czlrh.js') executes through wscript.exe, initiating a process to retrieve an MSI installer file ('slack.msi') from a network share at '\wireoneinternet[.]info@80\share'. Once obtained, the installer utilizes msiexec.exe to run.
Subsequently, the MSI installer establishes contact with a domain controlled by the attacker to acquire and deploy the SSLoad malware payload via rundll32.exe. Following this, the compromised system sends signals to a Command-and-Control (C2) server, transmitting information.
This initial reconnaissance stage sets the stage for Cobalt Strike, a legitimate adversary simulation software, which is employed to download and install ScreenConnect. This enables threat actors to gain remote control over the host.
Attackers Infect Devices Across the Victim’s Network and Compromise Sensitive Data
Having gained complete system access, the threat actors initiate credential acquisition and gather crucial system information. Cybercriminals commence scanning the victim host for stored credentials within files and other potentially sensitive documents.
Furthermore, the attackers pivot to other systems within the network, including the domain controller, ultimately breaching the victim's Windows domain by establishing their own domain administrator account.
This high level of access grants ill-minded actors entry to any connected machine within the domain. Ultimately, this scenario represents the worst-case outcome for any organization, as the persistence achieved by the attackers necessitates extensive time and resources for remediation.
Take Measures against Attack Campaigns Like FROZEN#SHADOW
Phishing remains the top method for threat actors to execute successful breaches, introducing malware and compromising internal systems. It's critical for frontline users to recognize these threats and understand how to identify them. Exercise caution with unsolicited emails, especially those with unexpected content or a sense of urgency.
In terms of prevention and detection, researchers suggest refraining from downloading files or attachments from unknown external sources, particularly if they are unsolicited. Common file types used in attacks include zip, rar, iso, and pdf, with zip files notably utilized in this campaign. Additionally, monitoring commonly targeted malware staging directories is advised, especially for script-related activity in writable directories.
Throughout various phases of the FROZEN#SHADOW campaign, threat actors utilized encrypted channels over port 443 to evade detection. Hence, deploying robust endpoint logging capabilities is strongly recommended, including leveraging additional process-level logging for enhanced detection coverage.
