A new campaign has taken advantage of ClickFix social engineering tactics as a way to distribute a previously unknown malware loader called deepload.
“It uses AI-assisted obscurity and process injection to potentially avoid static scanning, while credential theft begins immediately and captures passwords and sessions even when the primary loader is blocked,” ReliaQuest researchers Thasnai McCabe and Andrew Currie said in a report shared with The Hacker News.
The starting point of the attack chain is a ClickFix lure that tricks users into running a Powershell command by pasting the command into the Windows Run dialog under the pretext of addressing a non-existent problem. This, in turn, uses a legitimate Windows utility “mshta.exe” to download and run an obscure PowerShell loader.
On the other hand, the loader has been found to hide its true functionality among meaningless variable assignments, possibly in an attempt to deceive security tools. It has been assessed that threat actors relied on artificial intelligence (AI) tools to develop the obfuscation layer.
Deepload makes a deliberate effort to blend in with regular Windows activity and fly under the radar. This involves hiding the payload within an executable called “LockAppHost.exe”, which is a legitimate Windows process that manages the lock screen.
Additionally, the malware covers its own tracks by disabling the Powershell command history and invoking native Windows core functions directly instead of relying on Powershell’s built-in commands to launch processes and modify memory. In doing so, it bypasses the usual monitoring hooks that monitor PowerShell-based activity.
“To avoid file-based detection, Deepload immediately generates a secondary component using the built-in PowerShell feature Add-Type, which compiles and runs code written in C#,” ReliaQuest said. “This generates a temporary dynamic link library (DLL) file placed in the user’s Temp directory.”
This provides a way for malware to bypass file name-based detection, as the DLL is compiled and written with a random file name each time it is executed.
Another notable defense evasion strategy adopted by Deepload is the use of asynchronous procedure call (APC) injection to run the main payload inside a trusted Windows process without the decoded payload being written to disk by launching the target process in a suspended state, writing shellcode to its memory, and then resuming the process execution.
Deepload is designed to facilitate credential theft by extracting browser passwords from the host. It also removes a malicious browser extension that prevents credentials from being entered on login pages and persists in user sessions until it is explicitly removed.
Another more dangerous feature of the malware is its ability to automatically detect when removable media devices such as USB drives are connected and copy malware-containing files using names such as “ChromeSetup.lnk,” “Firefox Installer.lnk,” and “AnyDesk.lnk” to trigger infection once double-clicked.
“Deepload used Windows Management Instrumentation (WMI) to re-infect the ‘clean’ host three days later without any user action and without any attacker interaction,” ReliaQuest reported. “WMI served two purposes: it broke the parent-child process chain that most detection rules are designed to capture, and it created WMI event subscriptions that later silently re-enacted the attack.”
The goal, it appears, is to deploy multi-purpose malware that can perform malicious actions in a cyber kill chain and avoid detection by security controls by writing artifacts to disk, blending into Windows processes, and spreading rapidly to other machines.
The revelation comes as G Data detailed information about another malware loader, called KissLoader, which is distributed via Windows Internet Shortcut files (URLs) attached to phishing emails, which then connect to a remote WebDAV resource hosted on the TriCloudFlare domain and provide a secondary shortcut that masquerades as a PDF document.
Once executed, the shortcut launches a WSH script responsible for running a JavaScript component, which proceeds to retrieve and execute a batch script that displays a decoy PDF, sets persistence in the startup folder, and downloads the Python-based Kis loader. In the final step, the loader decrypts and runs the Venom RAT, an AsyncRAT variant using APC injection.
It is currently not known how widespread the attacks deploying which loader are, and whether it is being offered under a Malware-as-a-Service (MaaS) model. As noted, the threat actor behind the loader claims to be from Malawi.
