SSLoad Malware Spread in Phishing Campaign

Security experts have identified an ongoing attack strategy that utilizes phishing emails to distribute a form of malware known as SSLoad. Dubbed FROZEN#SHADOW by Securonix, this campaign involves deploying Cobalt Strike and ConnectWise ScreenConnect remote desktop software.

According to researchers, SSLoad is engineered to discreetly infiltrate systems, collect sensitive data, and send it back to its operators. Once inside a system, SSLoad establishes multiple backdoors and payloads to remain undetected and persistent.

The attack begins with phishing messages sent randomly to organizations across Asia, Europe, and the Americas. These emails contain links leading to JavaScript files that initiate the infection process.

SSLoad Uses Two Different Distribution Paths

Palo Alto Networks recently uncovered two distribution methods for SSLoad. One involves embedding malicious URLs in website contact forms, while the other employs macro-enabled Microsoft Word documents. The latter method is noteworthy because it not only distributes SSLoad but also facilitates the delivery of Cobalt Strike. Meanwhile, the former has been used to distribute another malware called Latrodectus, potentially succeeding IcedID.

The obfuscated JavaScript file ("out_czlrh.js") retrieves an MSI installer file ("slack.msi") from a network share and executes it. The MSI installer then contacts a domain controlled by the attacker to download and execute the SSLoad malware payload. This payload communicates with a command-and-control server, providing information about the compromised system.

Once the initial reconnaissance is complete, Cobalt Strike is deployed. This legitimate software is used to download and install ScreenConnect, allowing the attackers to take control of the host remotely. With full access to the system, the attackers seek to obtain credentials and other critical system details, scanning for stored credentials and sensitive documents.

The attackers have been observed expanding their access within the network, including to the domain controller, ultimately establishing their own domain administrator account. This level of access enables them to infiltrate any connected machine within the domain, posing a significant challenge for organizations to remediate.

By Zaib
April 25, 2024
Computer Security
English
April 25, 2024
Computer Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Error: Ox800VDS Pop-up Scam

1 month ago

Softcnapp Potentially Unwanted Application

2 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

9 months ago

Alrucs Service Trojan

22 days ago

Remor.xyz Browser Hijacker

20 days ago

Related Posts

Malware

FakeCrack Malware Spread Using Crack Sites

Cracked software is used as a lure to spread cryptostealers in a new malicious campaign dubbed FakeCrack. The malicious payloads used in the campaign comprise infostealer malware strains that are capable of stealing... Read more

June 13, 2022
Malware

New SVCReady Spread Through Malspam Campaign

Security experts with the threat research branch of HP published their findings on a new strain of malware, dubbed SVCReady. The malware is being spread using malicious spam email campaigns. The first sighting of... Read more

June 8, 2022
Computer Security

Latrodectus Malware Distributed in Phishing Campaign

Threat investigators have uncovered a newly identified malware named Latrodectus, which has been distributed through email phishing campaigns since at least late November 2023. Described as an emerging downloader with... Read more

April 8, 2024
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.