DeepLoad Targets Enterprise Networks
A newly identified malware, known as DeepLoad, is infiltrating enterprise systems with ease, converting singular user actions into sustained access. This malware can persist through system reboots and evade standard cleanup attempts, posing a significant threat to network security.
DeepLoad’s distinctiveness lies in its meticulously structured attack phases, designed specifically to bypass existing security measures commonly employed by organizations.
ClickFix and Initial Compromise Methods
DeepLoad gains entry via ClickFix, a deceptive tactic where employees encounter a fake browser error page. This leads them to execute a PowerShell command under the guise of fixing the issue, unknowingly initiating a scheduled task that reloads the malware at each reboot.
This task exploits mshta.exe, a legitimate Windows utility, to retrieve an obscured payload from attacker-controlled domains, which become operational within minutes, leaving minimal room for effective response.
Rapid Infection and Credential Theft
ReliaQuest analysts detected this campaign during investigations into active network breaches. Their analysis revealed that the attack’s design is meant to outpace manual response, with credential theft commencing well before the full attack sequence concludes.
The malware propagates to USB drives swiftly, often within ten minutes, increasing the likelihood of further system infections. DeepLoad employs a credential stealer named filemanager.exe, which operates independently to extract data, even if the primary loader is obstructed.
AI-Driven Evasion Techniques
DeepLoad utilizes sophisticated evasion strategies, making it difficult for traditional security tools to detect. Its PowerShell loader is filled with meaningless variable assignments, creating the illusion of activity without performing any substantial actions.
The malware’s core functionality — a brief XOR decryption routine — is concealed at the script’s end, decrypting shellcode directly in memory to avoid detection. This obfuscation layer is believed to be AI-generated, allowing quick redevelopment and redeployment to outmaneuver defenses.
For protection, security teams should enable PowerShell Script Block Logging to capture decoded runtime commands and mitigate obfuscation effects. Additionally, all WMI event subscriptions on infected systems must be thoroughly audited and removed before returning any machine to production use.
To prevent further compromise, it’s imperative that all credentials from infected hosts are immediately rotated, and all connected USB drives are thoroughly examined before reuse. Browser extensions that are not officially sanctioned should be purged from affected systems. Endpoint monitoring should transition from traditional file-based scanning to behavior-focused detection using EDR telemetry and memory scanning technologies.
Stay updated with the latest security news by following us on Google News, LinkedIn, and X. Set CSN as a preferred source in Google for instant updates.
