A new campaign has leveraged the ClickFix social engineering tactic as a way to distribute a previously undocumented malware loader referred to as DeepLoad.
“It likely uses AI-assisted obfuscation and process injection to evade static scanning, while credential theft starts immediately and captures passwords and sessions even if the primary loader is blocked,” ReliaQuest researchers Thassanai McCabe and Andrew Currie said in a report shared with The Hacker News.
The starting point of the attack chain is a ClickFix lure that tricks users into running PowerShell commands by pasting the command into the Windows Run dialog under the pretext of addressing a non-existent issue. This, in turn, uses “mshta.exe,” a legitimate Windows utility to download and run an obfuscated PowerShell loader.
The loader, for its part, has been found to conceal its actual functionality among meaningless variable assignments, likely in an attempt to deceive security tools. It’s assessed that the threat actors relied on an artificial intelligence (AI) tool to develop the obfuscation layer.
DeepLoad makes deliberate efforts to blend in with regular Windows activity and fly under the radar. This includes hiding the payload within an executable named “LockAppHost.exe,” a legitimate Windows process that manages the lock screen.
In addition, the malware covers up its own tracks by disabling PowerShell command history and invoking native Windows core functions directly instead of relying on PowerShell’s built-in commands to launch processes and modify memory. In doing so, it bypasses common monitoring hooks that keep tabs on PowerShell-based activity.
“To evade file-based detection, DeepLoad generates a secondary component on the fly by using the built-in PowerShell feature Add-Type, which compiles and runs code written in C#,” ReliaQuest said. “This produces a temporary Dynamic Link Library (DLL) file dropped into the user’s Temp directory.”
This offers a way for the malware to sidestep file name-based detections, as the DLL is compiled every time it’s executed and written with a randomized file name.
Another notable defense evasion tactic adopted by DeepLoad is the use of asynchronous procedure call (APC) injection to run the main payload inside a trusted Windows process without a decoded payload written to disk after launching the target process in a suspended state, writing shellcode into its memory, and then resuming the execution of the process.
DeepLoad is designed to facilitate credential theft by extracting browser passwords from the host. It also drops a malicious browser extension that intercepts credentials as they are being entered on login pages and persists across user sessions unless it’s explicitly removed.
A more dangerous feature of the malware is its ability to automatically detect when removable media devices like USB drives are connected and copy the malware-laced files using names like “ChromeSetup.lnk,” “Firefox Installer.lnk,” and “AnyDesk.lnk” so as to trigger the infection once it’s doubled-clicked.
“DeepLoad used Windows Management Instrumentation (WMI) to reinfect a ‘clean’ host three days later with no user action and no attacker interaction,” ReliaQuest explained. “WMI served two purposes: It broke the parent-child process chains most detection rules are built to catch, and it created a WMI event subscription that quietly re-executed the attack later.”
The goal, it appears, is to deploy multi-purpose malware that can perform malicious actions across the cyber kill chain and sidestep detection by security controls by avoiding writing artifacts to disk, blending into Windows processes, and spreading quickly to other machines.
Exactly when the malware first came to be used in real-world attacks or the overall scale of activity is unknown at this time. However, a ReliaQuest spokesperson told The Hacker News that it’s “very new” and that “its delivery via ClickFix suggests it has the potential to spread more broadly.”
“The infrastructure and templated implementation associated with DeepLoad may be consistent with a service-based or shared framework; however, we can’t conclusively determine at this stage whether it’s being offered as part of a MaaS [malware-as-a-service] model,” the spokesperson added.
The disclosure comes as G DATA detailed another malware loader dubbed Kiss Loader that’s distributed through Windows Internet Shortcut files (URL) attached to phishing emails, which then connects to a remote WebDAV resource hosted on a TryCloudflare domain to serve a secondary shortcut that masquerades as a PDF document.
Once executed, the shortcut launches a WSH script responsible for running a JavaScript component, which proceeds to retrieve and execute a batch script that displays a decoy PDF, sets up persistence in the Startup folder, and downloads the Python-based Kiss Loader. In the final stage, the loader decrypts and runs Venom RAT, an AsyncRAT variant, using APC injection.
It’s currently not known how widespread attacks deploying Kiss Loader are, and if it’s being offered under a malware-as-a-service (MaaS) model. That said, the threat actor behind the loader claims to be from Malawi.
