SSLoad Malware Utilizes MSI Installer to Initiate Delivery Chain

Malware distributors exploit MSI installers because Windows OS inherently trusts them to run with administrative rights, bypassing security controls. This makes MSI files a convenient method for disseminating ransomware, spyware, and other malicious software under the guise of legitimate installations.

Recently, cybersecurity researchers at Intezer found that SSLoad malware utilizes MSI installers to initiate its delivery chain.

SSLoad Malware

SSLoad Malware is a type of malicious software designed to infiltrate computer systems and carry out various harmful actions. It may be used by cybercriminals to steal sensitive information, gain unauthorized access to systems, or disrupt normal operations. SSLoad malware is notable for its use of MSI installers as a means of initiating its delivery chain, as discovered by cybersecurity researchers at Intezer.

In a recent campaign involving SSLoad, a decoy Word document carried an SSLoad DLL, which triggered Cobalt Strike upon execution. Additionally, a phishing email led to a fake Azure page, where victims unwittingly downloaded a JavaScript script and an MSI installer to load the SSLoad payload.

Since April 2024, SSLoad has been targeting victims using various delivery methods, suggesting its use for Malware-as-a-Service (MaaS) purposes and showcasing its versatility.

Researchers analyzed an MSI installer responsible for initiating a delivery chain with multiple loaders, ultimately deploying the final SSLoad payload.

The initial PhantomLoader, a 32-bit C/C++ DLL, employs self-modifying techniques and XOR decryption to bypass security measures and crack into the next loader stage.

The subsequent loader then loads the SSLoad payload, a 32-bit Rust DLL. SSLoad decrypts a Telegram channel URL, which serves as a dead drop to retrieve the command-and-control server address.

The C2 decoder decrypts the C2 address and user agent and sends an HTTP GET request to download the next payload stage from the C2 server.

This SSLoad variant employs a unique decryption method with the RC4 algorithm. Each string is encrypted with its own distinct key, stored alongside it.

The key is derived from the first 6 and last 7 bytes of the encoded blob. After calculating the encrypted string’s length, it is Base64 decoded and decrypted with RC4 using the derived key, extracting the Telegram channel URL.

The payload is another Rust file that implements various evasion techniques, including creating a mutex for anti-analysis, checking for debugging, dynamically loading DLLs, and deriving rolling XOR keys through arithmetic operations to decode strings uniquely.

Additionally, it utilizes RtlGenRandom for unique folder naming, dynamically resolves library calls by hashing module and function names, and employs common malware techniques like manipulating the PEB for evasion.

The JSON fingerprint is sent to the C2 using HTTP POST, and Load makes an HTTP request containing the host ID. The client checks for available tasks by sending a POST request with a unique SSLoad host identifier.

Based on task availability, the C2 responds with an encrypted job structure in RC4 and base64 encoded format, with a command (only “exe” is currently used for downloading payloads) and arguments.

It also demonstrates how complex it can be as shown by its use of Rust downloader, which is made up of dynamic string decryption and a new loader that includes an anti-debugging mechanism in place. To combat such intricate malware campaigns effectively, continued monitoring and advanced threat detection are required.

IOCs

Files

Network

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!