MintsLoader is a malware loader used to deliver GhostWeaver, a PowerShell-based remote access trojan. The infection process involves multiple stages, utilizing obfuscated JavaScript and PowerShell scripts to avoid detection. MintsLoader employs techniques like sandbox and virtual machine evasion, domain generation algorithms (DGA), and HTTP-based command-and-control (C2) communications. These tactics make it difficult for security systems to analyze and detect the malware effectively, allowing it to execute successfully in targeted environments.
Phishing and drive-by download campaigns distributing MintsLoader have been active since early 2023, according to Orange Cyberdefense. It has been used by e-crime threat actors, including groups like SocGholish and LandUpdate808, targeting industries like legal, industrial, and energy sectors. These campaigns are often delivered through phishing emails with fake browser update prompts, tricking victims into downloading malicious payloads. In some cases, MintsLoader has been found distributing additional malware, such as StealC and modified BOINC clients, to extend the attack chain.
The malware’s capabilities are enhanced by social engineering techniques like ClickFix, which deceive users into executing malicious JavaScript and PowerShell code. Spam emails containing links to ClickFix pages are used to lure users into initiating the attack. MintsLoader primarily serves as a loader, responsible for downloading the next-stage payload, which is often GhostWeaver. Through its DGA implementation, the malware generates C2 domains based on the day of execution, further obfuscating its activity and making detection more challenging.
GhostWeaver itself is a persistent trojan that communicates with its C2 server using TLS encryption and a self-signed X.509 certificate. It can steal browser data, manipulate HTML content, and deploy additional payloads, including MintsLoader. This malware can also be used to facilitate other attacks, such as those identified in the CLEARFAKE campaign. In this campaign, attackers use ClickFix to deliver MSHTA commands that deploy the Lumma Stealer malware, highlighting the versatility of these malware tools in large-scale cybercrime operations.
