In a recent discovery by cybersecurity researchers at Intezer, it has been found that malware distributors are increasingly using MSI installers to spread ransomware, spyware, and other malicious software. The reason behind this trend is that Windows OS inherently trusts MSI files to run with administrative rights, bypassing security controls and making them a convenient medium for malware distribution.
One particular malware known as SSLoad has been identified as utilizing MSI installers as part of its delivery chain. SSLoad is a silent malware that engages in system infiltration, information gathering, and payload delivery. The malware has been actively targeting victims since April 2024, with multiple delivery methods suggesting its use for Malware as a Service (MaaS) purposes.
The researchers at Intezer analyzed an MSI installer used by SSLoad that initiates a delivery chain involving multiple loaders to deploy the final payload. The first loader, known as PhantomLoader, is a 32-bit C/C++ DLL that employs self-modifying techniques and XOR decryption to crack the next loader stage. The second loader then loads the SSLoad payload, a 32-bit Rust DLL that decrypts a Telegram channel URL used as a dead drop to retrieve the command-and-control server address.
This variant of SSLoad utilizes a custom method to decrypt strings using the RC4 algorithm, with each string encrypted with a distinct key stored alongside it. The malware also creates a mutex for anti-analysis, checks for debugging, dynamically loads DLLs, and employs various evasion techniques to avoid detection. It uses unique folder naming, resolves library calls dynamically by hashing module and function names, and manipulates the PEB for evasion.
To communicate with the command-and-control (C2) server, SSLoad sends a JSON fingerprint using HTTP POST and requests tasks using unique host identifiers. The C2 server responds with encrypted job structures containing commands and arguments. The complexity of SSLoad is further highlighted by its use of a Rust downloader, which includes dynamic string decryption and an anti-debugging mechanism.
In order to effectively combat such sophisticated malware campaigns, continuous monitoring and advanced threat detection capabilities are essential. It is crucial for organizations to stay vigilant and employ robust cybersecurity measures to protect against evolving threats like SSLoad and other malware utilizing MSI installers for distribution.