New SSLoad Loader Malware Attacking Users to Infiltrate Login Details

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

SSLoad is a complex malware loader that mainly intrudes into desired systems via phishing emails. Once inside, it performs reconnaissance, and then transfers the collected intelligence to its handlers.

SSLoad later uses any available means to get past detection as it installs different forms of harmful code into the system. This program is also designed to deliver malware in many ways and use several encryption techniques.

Cybersecurity researchers at ANY.RUN recently identified the new SSLoad malware which is found to be attacking users to infiltrate login details.

These characteristics indicate that SSLoad is involved in the broader context of Malware-as-a-Service (MaaS).

Technical Analysis

SSLoad is a sophisticated malware loader that emerged in January 2024, distinguished by its complex and evolving attack techniques. 

Cybersecurity experts find it difficult to detect this all-purpose risk as its delivery methods include phishing emails, decoy documents, DLL side-loading, and malicious MSI installers.

SSLoad has superior ability in a range of system mapping techniques, data loss prevention schemes, and long-term entry strategies as well as evasion and execution within the computer’s memory.

It communicates with command-and-control servers via encrypted protocols to receive instructions and download additional payloads, including Cobalt Strike. 

The gradual change in the tactics used by the malware reveals itself through the various modifications made to it including loading directly into victims’ memory without any intermediaries, unlike previous versions that relied upon Telegram channels.

Easily analyze emerging malware with ANY.RUN interactive online sandbox - Try 14 Days Free Trial

This complex strain’s flexibility implies that it is probably an example of Malware-as-a-Service (MaaS), serving several groups of threat actors and presenting substantial persistent threats to the cybersecurity landscape.

SSLoad malware is distributed via phishing emails and relies on two main techniques for its dissemination:-

  • False Word documents that can run malevolent DLLs.
Fake document page (Source – ANY.RUN)
  • Fake Azure pages, leading to MSI installer JavaScript downloads.
SSLoad process graph with MSI installer (Source – ANY.RUN)

This Rust-based SSLoad payload, when triggered, establishes a mutex to prevent multiple instances of itself and proceeds with system reconnaissance, where it uploads the data it has collected to C2 servers.

Some evasion mechanisms used by SSLoad consist of checking for debugging flags in the Process Environment Block (PEB) and using Task Scheduler for time-based delays in execution.

In this case, notably, Cobalt Strike payloads are deployed through this malware to facilitate lateral movement inside compromised networks.

SSLoad emerges as a significant cyber security threat by combining evasion tactics with this multi-stage attack chain.

Distribution mechanisms consist of harmful email attachments, infected web pages, deceptive scripts, and packaged with seemingly harmless applications.

Detecting these sophisticated methods and their various delivery approaches is challenging.

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access