SSLoad Malware Utilizes MSI Installer to Initiate Delivery Chain

Home/BOTNET, Compromised, Exploitation, malicious cyber actors, Malware, Security Advisory, Security Update/SSLoad Malware Utilizes MSI Installer to Initiate Delivery Chain

SSLoad Malware Utilizes MSI Installer to Initiate Delivery Chain

Malware distributors exploit MSI installers because Windows OS inherently trusts them to run with administrative rights, bypassing security controls. This makes MSI files a convenient method for disseminating ransomware, spyware, and other malicious software under the guise of legitimate installations.

Recently, cybersecurity researchers at Intezer found that SSLoad malware utilizes MSI installers to initiate its delivery chain.

SSLoad Malware

SSLoad Malware is a type of malicious software designed to infiltrate computer systems and carry out various harmful actions. It may be used by cybercriminals to steal sensitive information, gain unauthorized access to systems, or disrupt normal operations. SSLoad malware is notable for its use of MSI installers as a means of initiating its delivery chain, as discovered by cybersecurity researchers at Intezer.

In a recent campaign involving SSLoad, a decoy Word document carried an SSLoad DLL, which triggered Cobalt Strike upon execution. Additionally, a phishing email led to a fake Azure page, where victims unwittingly downloaded a JavaScript script and an MSI installer to load the SSLoad payload.

Since April 2024, SSLoad has been targeting victims using various delivery methods, suggesting its use for Malware-as-a-Service (MaaS) purposes and showcasing its versatility.

Researchers analyzed an MSI installer responsible for initiating a delivery chain with multiple loaders, ultimately deploying the final SSLoad payload.

The initial PhantomLoader, a 32-bit C/C++ DLL, employs self-modifying techniques and XOR decryption to bypass security measures and crack into the next loader stage.

The subsequent loader then loads the SSLoad payload, a 32-bit Rust DLL. SSLoad decrypts a Telegram channel URL, which serves as a dead drop to retrieve the command-and-control server address.

The C2 decoder decrypts the C2 address and user agent and sends an HTTP GET request to download the next payload stage from the C2 server.

This SSLoad variant employs a unique decryption method with the RC4 algorithm. Each string is encrypted with its own distinct key, stored alongside it.

The key is derived from the first 6 and last 7 bytes of the encoded blob. After calculating the encrypted string’s length, it is Base64 decoded and decrypted with RC4 using the derived key, extracting the Telegram channel URL.

The payload is another Rust file that implements various evasion techniques, including creating a mutex for anti-analysis, checking for debugging, dynamically loading DLLs, and deriving rolling XOR keys through arithmetic operations to decode strings uniquely.

Additionally, it utilizes RtlGenRandom for unique folder naming, dynamically resolves library calls by hashing module and function names, and employs common malware techniques like manipulating the PEB for evasion.

The JSON fingerprint is sent to the C2 using HTTP POST, and Load makes an HTTP request containing the host ID. The client checks for available tasks by sending a POST request with a unique SSLoad host identifier.

Based on task availability, the C2 responds with an encrypted job structure in RC4 and base64 encoded format, with a command (only “exe” is currently used for downloading payloads) and arguments.

It also demonstrates how complex it can be as shown by its use of Rust downloader, which is made up of dynamic string decryption and a new loader that includes an anti-debugging mechanism in place. To combat such intricate malware campaigns effectively, continued monitoring and advanced threat detection are required.



90f1511223698f33a086337a6875db3b5d6fbcce06f3195cdd6a8efa90091750MSI Installer
6aa3daefee979a0efbd30de15a1fc7c0d05a6e8e3f439d5af3982878c3901a1cSecond stage of the PhantomLoader
265514c8b91b96062fd2960d52ee09d67ea081c56ebadd7a8661f479124133e9SSLoad Downaloder
6329244cfb3480eae11070f1aa880bff2fd52b374e12ac37f1eacb6379c72b80SSLoad Payload



‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!