Analysis Summary

Cybersecurity experts have found evidence of a persistent attack campaign that uses phishing emails to spread SSLoad malware. The campaign dubbed FROZEN#SHADOW also includes the use of the ConnectWise ScreenConnect remote desktop software and Cobalt Strike.

SSLoad is engineered to surreptitiously enter networks, obtain confidential data, and relay its discoveries to its administrators. To be persistent and evade detection, SSLoad installs several backdoors and payloads once inside the system. Phishing emails with links that download a JavaScript file that starts the infection process are used in attack chains to target companies in Asia, Europe, and the Americas at random.

The researchers said, “The malware is typically introduced into the system through phishing email campaigns.”

Earlier this month, Palo Alto Networks uncovered at least two different methods by which SSLoad is distributed, one which entails the use of website contact forms to embed booby-trapped URLs and another involving macro-enabled Microsoft Word documents. Notably, the latter serves as a delivery mechanism for Cobalt Strike, whilst the former has been utilized to spread a distinct malware known as Latrodectus, which is most likely IcedID's replacement.

When the obfuscated JavaScript file ("out_czlrh.js") is launched and executed using wscript.exe, it connects to a network share to retrieve an MSI installer file ("slack.msi"), which is then executed by msiexec.exe. On the other hand, the MSI installer makes contact with an attacker-controlled domain to retrieve and launch the SSLoad malware payload using rundll32.exe. Subsequently, it sends information about the compromised machine to a command-and-control (C2) server.

The threat actors can remotely take over the host by using Cobalt Strike, a genuine adversary simulation program, to download and install ScreenConnect after the first reconnaissance phase. The threat actors started trying to obtain credentials and gather other important system facts when they had complete access to the system. At this point, they began searching the target host's files for credentials and other potentially private information.

The attackers have also been shown to switch to different systems within the network, such as the domain controller, and eventually get access to the victim's Windows domain by making a domain administrator account of their own. They could access any linked machine within the domain with this degree of access. This is ultimately the worst-case situation for any firm because it would take a great deal of time and money to address the attackers' degree of persistence.

Impact

• Sensitive Data Theft
• Unauthorized Remote Access
• Credential Theft
• Privilege Escalation

Indicators of Compromise

SHA1

• 1c2be6b4de1a51fede475aa4778fee9ae4e3b6d7
• 1df86a1625b0fddd885e8763f416948d8e3863b5
• 5d5864f42ab23e1f3a7fd3ded9ed31dac32bfea3
• fd19c966e5eee62f05ee44df25bcd79493567a09
• 7ba89be2538e558a416fa7730b683a1a71ec223b
• ba4aa429f298d10cd92f91af89d979142dd1da49
• c9b14c63d98a363e1b604aad59bb8f4142326feb
• fa55affc926adc1c5495a85d30df5a17f079bce1
• 1f35835a08f96fd9198864b8ded5baa1a27db710
• d394c7b8fe15753bfbff79fb4f648f6f8bae70f9

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Ensure that all systems, software, and applications are up-to-date with the latest security patches. Regularly check for and apply updates to eliminate known vulnerabilities that attackers could exploit.
• Educate employees about phishing emails, social engineering tactics, and safe online behavior. Effective training can reduce the likelihood of users inadvertently initiating an attack.
• Regularly back up critical data and systems to offline or isolated storage. Test the backup restoration process to ensure that it is effective in case of an attack.
• Deploy strong endpoint protection solutions that include advanced threat detection, behavior monitoring, and real-time protection against malware and ransomware.
• Employ robust email filtering and anti-phishing solutions to detect and prevent malicious attachments and links from reaching user inboxes.
• Conduct regular penetration testing and security assessments to identify vulnerabilities and weaknesses in your network and systems. Address any findings promptly.
• Thoroughly assess third-party vendors and software before integrating them into your environment. Ensure they have strong security practices and adhere to cybersecurity standards.