A new cybersecurity threat has been identified: a malware family known as DeepLoad is actively targeting systems through the ClickFix technique. This malware is capable of intercepting browser activities and stealing sensitive credentials, according to a report from ReliaQuest.
DeepLoad Emerges in Cybercrime Forums
Initially spotted in early February, DeepLoad was advertised on a cybercrime forum as a versatile tool capable of managing multiple malware types. The malware can replace legitimate cryptocurrency applications and browser extensions with fraudulent versions, posing a significant risk to users’ credentials and privacy.
ZeroFox, a cybersecurity firm, highlighted DeepLoad’s focus on facilitating real-time cryptocurrency theft as a key feature that enhances its appeal within the cybercrime-as-a-service (CaaS) sector.
ClickFix Technique: A New Attack Vector
ReliaQuest has recently observed DeepLoad being distributed through the ClickFix technique, specifically targeting Windows systems. The method involves tricking users into executing a command that launches a PowerShell loader, which then installs the DeepLoad malware onto the system.
To avoid detection, DeepLoad dynamically generates a secondary component as a DLL file, which is compiled at each execution with a unique name. This tactic helps it evade conventional security measures.
Advanced Evasion Tactics
DeepLoad employs sophisticated methods to remain undetected, such as disabling PowerShell command history and directly calling Windows core functions. Furthermore, the malware is injected into a legitimate Windows process, LockAppHost.exe, through an asynchronous procedure call (APC) technique. This method not only conceals the malicious activity but ensures the payload is executed entirely in memory.
Alongside its credential-stealing capabilities, DeepLoad also deploys a rogue browser extension that compromises user sessions, exposing passwords, active logins, and session tokens.
Expanding Threat Vector
In addition to its primary distribution method, DeepLoad has been observed spreading through USB drives. However, it remains unclear if this capability is inherent to DeepLoad or if it’s facilitated by its operators.
As cyber threats continue to evolve, staying informed about emerging malware such as DeepLoad is crucial for safeguarding sensitive data and protecting systems from unauthorized access.
