SSLoad Malware Spread in Phishing Campaign

Security experts have identified an ongoing attack strategy that utilizes phishing emails to distribute a form of malware known as SSLoad. Dubbed FROZEN#SHADOW by Securonix, this campaign involves deploying Cobalt Strike and ConnectWise ScreenConnect remote desktop software.

According to researchers, SSLoad is engineered to discreetly infiltrate systems, collect sensitive data, and send it back to its operators. Once inside a system, SSLoad establishes multiple backdoors and payloads to remain undetected and persistent.

The attack begins with phishing messages sent randomly to organizations across Asia, Europe, and the Americas. These emails contain links leading to JavaScript files that initiate the infection process.

SSLoad Uses Two Different Distribution Paths

Palo Alto Networks recently uncovered two distribution methods for SSLoad. One involves embedding malicious URLs in website contact forms, while the other employs macro-enabled Microsoft Word documents. The latter method is noteworthy because it not only distributes SSLoad but also facilitates the delivery of Cobalt Strike. Meanwhile, the former has been used to distribute another malware called Latrodectus, potentially succeeding IcedID.

The obfuscated JavaScript file ("out_czlrh.js") retrieves an MSI installer file ("slack.msi") from a network share and executes it. The MSI installer then contacts a domain controlled by the attacker to download and execute the SSLoad malware payload. This payload communicates with a command-and-control server, providing information about the compromised system.

Once the initial reconnaissance is complete, Cobalt Strike is deployed. This legitimate software is used to download and install ScreenConnect, allowing the attackers to take control of the host remotely. With full access to the system, the attackers seek to obtain credentials and other critical system details, scanning for stored credentials and sensitive documents.

The attackers have been observed expanding their access within the network, including to the domain controller, ultimately establishing their own domain administrator account. This level of access enables them to infiltrate any connected machine within the domain, posing a significant challenge for organizations to remediate.

April 25, 2024
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.