The malware loader known as MintsLoader has been used to deliver a PowerShell-based remote access trojan called GhostWeaver.
“MintsLoader operates through a multi-stage infection chain involving obfuscated JavaScript and PowerShell scripts,” Recorded Future’s Insikt Group said in a report shared with The Hacker News.
“The malware employs sandbox and virtual machine evasion techniques, a domain generation algorithm (DGA), and HTTP-based command-and-control (C2) communications.”
Phishing and drive-by download campaigns distributing MintsLoader have been detected in the wild since early 2023, per Orange Cyberdefense. The loader has been observed delivering various follow-on payloads like StealC and a modified version of the Berkeley Open Infrastructure for Network Computing (BOINC) client.
The malware has also been put to use by threat actors operating e-crime services like SocGholish (aka FakeUpdates) and LandUpdate808 (aka TAG-124), distributing via phishing emails targeting the industrial, legal, and energy sectors and fake browser update prompts.
In a notable twist, recent attack waves have employed the increasingly prevalent social engineering tactic called ClickFix to trick site visitors into copying and executing malicious JavaScript and PowerShell code. The links to ClickFix pages are distributed via spam emails.
“Although MintsLoader functions solely as a loader without supplementary capabilities, its primary strengths lie in its sandbox and virtual machine evasion techniques and a DGA implementation that derives the C2 domain based on the day it is run,” Recorded Future said.
These features, coupled with obfuscation techniques, enable threat actors to hinder analysis and complicate detection efforts. The primary responsibility of the malware is to download the next-stage payload from a DGA domain over HTTP by means of a PowerShell script.
GhostWeaver, according to a report from TRAC Labs earlier this February, is designed to maintain persistent communication with its C2 server, generate DGA domains based on a fixed-seed algorithm based on the week number and year, and deliver additional payloads in the form of plugins that can steal browser data and manipulate HTML content.
“Notably, GhostWeaver can deploy MintsLoader as an additional payload via its sendPlugin command. Communication between GhostWeaver and its command-and-control (C2) server is secured through TLS encryption using an obfuscated, self-signed X.509 certificate embedded directly within the PowerShell script, which is leveraged for client-side authentication to the C2 infrastructure,” Recorded Future said.
The disclosure comes as Kroll revealed attempts made by threat actors to secure initial access through an ongoing campaign codenamed CLEARFAKE that leverages ClickFix to lure victims into running MSHTA commands that ultimately deploy the Lumma Stealer malware.
