Adrian Johnson
TLDR:
- Cybercriminals are using PhantomLoader to distribute the SSLoad malware.
- SSLoad is a nascent malware being spread through phishing emails and other delivery methods.
Cybersecurity firm Intezer has discovered the distribution of SSLoad malware through a previously undocumented loader called PhantomLoader. This loader is added to legitimate DLLs to evade detection. SSLoad, likely offered through a Malware-as-a-Service model, infiltrates systems through phishing emails and deploys additional malware to victims. The malware has been detected since April 2024 and has been used to deploy legitimate software like Cobalt Strike for malicious purposes. The attack chains involve the use of an MSI installer to initiate the infection sequence, leading to the execution of PhantomLoader. The final payload of SSLoad fingerprints compromised systems and sends information to a command-and-control server to download more malware. The malware demonstrates its ability to gather reconnaissance and evade detection with its dynamic string decryption and anti-debugging measures.
Phishing campaigns have also been observed distributing remote access trojans alongside SSLoad, enabling persistent operation on compromised systems. This development highlights the adaptability and complexity of SSLoad as a threat. It is essential for organizations to implement robust cybersecurity measures to protect against evolving threats like SSLoad and PhantomLoader.
