Researchers Detail Multistage Attack Hijacking Systems with SSLoad, Cobalt Strike

Researchers have uncovered a sophisticated attack campaign leveraging phishing emails to distribute a stealthy malware called SSLoad. This campaign, named FROZEN#SHADOW by Securonix, is notable for its use of multiple tools, including Cobalt Strike and ConnectWise ScreenConnect, to gain unauthorized access to targeted systems. SSLoad is designed to operate covertly within systems, collecting sensitive data and communicating it back to its operators without raising alarms. Upon infiltration, SSLoad installs various backdoors and payloads to maintain persistence and evade detection by security measures.

The attack strategy involves sending phishing emails to organizations across Asia, Europe, and the Americas. These emails contain malicious links that lead recipients to download JavaScript files, initiating the infection process. Palo Alto Networks has identified two distribution methods for SSLoad: one involving booby-trapped URLs embedded in website contact forms and another using macro-enabled Microsoft Word documents.

The JavaScript file, when executed, retrieves an MSI installer file from a network share and runs it to deploy the SSLoad malware payload. This payload establishes communication with a command-and-control server, allowing attackers to remotely control compromised systems. Following initial reconnaissance, attackers leverage Cobalt Strike to simulate adversary actions and gain deeper access to systems. They then install ScreenConnect for remote access, enabling them to acquire credentials, gather sensitive information, and pivot to other systems within the network, including domain controllers.

Security Officer Comments:
The severity of this attack extends beyond initial infiltration and data gathering. Once the threat actors establish full access to compromised systems, they embark on a comprehensive reconnaissance mission to acquire credentials and extract critical system details. This reconnaissance phase often involves scanning victim hosts for sensitive documents and stored credentials, further escalating the threat level. Moreover, the attackers demonstrate advanced tactics by pivoting to other systems within the network, including targeting domain controllers. By creating their own domain administrator account, they achieve a level of access that allows them to move laterally across the entire Windows domain. This capability poses a significant risk as it enables the threat actors to potentially compromise any connected machine within the domain, amplifying the impact and scope of the attack.

Suggested Corrections:
When it comes to successful breaches, phishing is still the #1 attack vector that threat actors are using to introduce malware and compromise internal systems. It’s critical for front line users to be aware of the existence of these threats and how to spot them. Exercise caution around unsolicited emails, especially when the email is unexpected or employs a sense of urgency. When it comes to prevention and detection, the Securonix Threat Research team recommends:

  • Avoid downloading files or attachments from external sources, especially if the source was unsolicited. Common file types include zip, rar, iso, and pdf. Zip files were used during this campaign.
  • Monitor common malware staging directories, especially script-related activity in world-writable directories. In the case of this campaign the threat actors staged in subdirectories in C:\ProgramData as well as the user’s %APPDATA%
  • Through various phases of the FROZEN#SHADOW campaign, the threat actors leveraged encrypted channels over port 443 to evade detection. Because of this, we strongly recommend deploying robust endpoint logging capabilities. This includes leveraging additional process-level logging such as Sysmon and PowerShell logging for additional log detection coverage.