The cybersecurity company Any.Run has exhaustively analyzed how some hackers are using a little-known loader called PhantomLoader to infect PCs with the SSLoad malware, a very powerful virus with great ability to go unnoticed by controls and analysis. These two softwares are combined with a phishing attack to make the victim download a Word file that incorporates malicious code.
PhantomLoader is a malicious loader or program that impersonates a DLL or .exe file, and is installed pretending to be a file called “WINWORD.EXE” from the “360 Total Security” antivirus, a real program, but which has been patched so that it the virus can extract data from it. The loader “is added to a legitimate DLL file by applying a binary patch to the file and using self-modification techniques to evade detection,” according to security analysts at Intezer.
From Any.Run they define it as follows: «What makes PhantomLoader unique is that it was added to be part of a legitimate DLL or executable of a known software by applying a binary patch to the DLL or executable and the addition of an automodification technique. The latter decrypts a fragment of embedded code, which SSLoad then decrypts and loads into memory,” they explain.
On the other hand, SSLoad is a malware programmed in Rust that is better known, and that also has a great ability to go unnoticed on the infected device. In fact, this malware is capable of modifying its behavior if it detects that other software, such as an antivirus, is analyzing it, stopping or changing its processes to avoid detection.
Chronology
Infection using this technique, which uses the various resources mentioned, is carried out through the following steps:
- Phishing attack
- Installing PhantomLoader impersonating an antivirus
- Running SSLoad
- SSLoad collects information about the system
- Data transmission between the infected computer and cybercriminals
First, a phishing email gets the victim to download a malicious Word text document. If the user executes it, it installs the PhantomLoader and SSLoad files on the computer.
Once the malware has managed to install, SSLoad begins to collect information about the operating system and its configuration, in order to adapt to the environment and operate differently to guarantee success in the user’s OS. Once this is done, SSLoad connects to the hackers’ command and control (C2) server, using an encrypted communication that prevents network security tools from detecting suspicious activity.
Once communication is established with the attackers’ servers, they can use the channel to send more malware, to steal data or for other activities depending on their interests on the infected computer.
The analysis of this malware once again reminds us of the importance of not downloading and running files on our computer that come from sources we do not know, as well as the need for antivirus software to be able to recognize these new malicious programs with the ability to go unnoticed.
