PhantomLoader Used to Spread SSLoad Malware

Cybercriminals are using a newly discovered loader called PhantomLoader to distribute the nascent malware SSLoad, according to the report.

Researchers reported that PhantomLoader is integrated into legitimate DLLs, often EDR or AV products, through binary patching and self-modifying techniques to evade detection.

SSLoad, likely marketed under a Malware-as-a-Service (MaaS) model due to its various delivery methods, infiltrates systems via phishing emails, conducts reconnaissance, and installs additional malware.

Previous investigations revealed that SSLoad is used to deploy Cobalt Strike, a legitimate adversary simulation software frequently utilized for post-exploitation activities. SSLoad has been active since April 2024.

The attack sequence typically begins with an MSI installer that initiates the infection process, leading to the execution of PhantomLoader, a 32-bit DLL written in C/C++ and disguised as a DLL module for the antivirus software 360 Total Security (“MenuEx.dll”).

The first-stage malware extracts and runs a Rust-based downloader DLL, which retrieves the main SSLoad payload from a remote server. The server details are encoded in an actor-controlled Telegram channel serving as a dead drop resolver.

The final payload, also written in Rust, fingerprints the compromised system and sends the information as a JSON string to the command-and-control (C2) server. The server then responds with commands to download additional malware.

SSLoad showcases its ability to gather reconnaissance, evade detection, and deploy further payloads through various delivery methods and techniques. Its dynamic string decryption and anti-debugging measures underscore its complexity and adaptability.

This development coincides with ongoing phishing campaigns that distribute remote access trojans such as JScript RAT and Remcos RAT, facilitating persistent operations and command execution from the server.

To protect against SSLoad malware, be vigilant with email security and avoid opening attachments or clicking links from unknown sources. Employ advanced email filtering to detect and block phishing attempts. Ensure all software, especially antivirus and endpoint detection and response (EDR) tools, is regularly updated.