Dissecting a new #Rust loader - SSLoad. Initially reported by @Unit42_Intel. The infection chain begins with a phishing email, consists of multiple stages, and implements various techniques. A technical analysis 🧵 [1/]
The phishing email delivers MSI installer files, which is set to execute a DLL named MenuEx.dll. This is a sophisticated and undocumented loader we named PhantomLoader. [2/]
PhantomLoader is embedded in a legitimate DLL linked to 360 Total Security. It uses self-modifying techniques to evade detection and decrypt the stub, which then decrypts the next-stage payload from the resource section. [3/]
SSLoad Downloader, a 32-bit DLL in Rust, decrypts a URL pointing to a dead-drop site: a Telegram channel. It uses custom RC4+Base64 string decryption for URLs and user agents, then retrieves and executes the final payload. [4/]
SSLoad's payload employs advanced anti-debugging techniques, including mutex creation and PEB checks. It dynamically loads Advapi32.dll and uses unique XOR keys for string decryption. [5/]
Once executed, SSLoad's payload fingerprints the system, gathering OS version, architecture, and user details. It then communicates with the C2 server via HTTP POST, using a unique identifier and RC4 encryption for secure data transmission. [6/]
For the full analysis, check out the blog post by @MhicRoibin and me [7/]
intezer.com/blog/research/…
Share this Scrolly Tale with your friends.
A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.