IBM X-Force has tracked QuirkyLoader, a sophisticated loader malware deployed by threat actors to distribute prominent families such as Agent Tesla, AsyncRAT, FormBook, MassLogger, Remcos, Rhadamanthys, and Snake Keylogger.
This multi-stage threat initiates through spam emails from legitimate providers or self-hosted servers, attaching malicious archives containing a legitimate executable, an encrypted payload masquerading as a DLL, and a malicious DLL loader.
Payload Delivery
Leveraging DLL side-loading, the legitimate executable inadvertently loads the malicious DLL, which then decrypts and injects the final payload via process hollowing into processes like AddInProcess32.exe, InstallUtil.exe, or aspnet_wp.exe.
This technique ensures stealthy execution, evading initial detection by mimicking benign operations.
The core DLL module of QuirkyLoader is authored in C# .NET and compiled using ahead-of-time (AOT) methods, producing native machine code that resembles C or C++ binaries, bypassing traditional .NET runtime analysis.
Technical Breakdown
The loader employs Win32 APIs like CreateFileW() and ReadFile() to access the encrypted payload, decrypting it with block ciphers, including the uncommon Speck-128 in CTR mode.
This cipher expands a master key into round keys, incorporating a nonce for keystream generation through Add-Rotate-XOR (ARX) operations, followed by XORing against encrypted data in 16-byte blocks.
To further dodge security tools, the malware dynamically resolves APIs for process hollowing, launching suspended processes with CreateProcessW(), unmappping memory via ZwUnmapViewOfSection(), injecting payloads with ZwWriteVirtualMemory(), and resuming execution using SetThreadContext() and ResumeThread().
Victimology reveals targeted campaigns in July 2025 against Taiwan’s Nusoft employees with Snake Keylogger, and random Mexican users with Remcos and AsyncRAT.
Related infrastructure includes the domain catherinereynolds[.]info resolving to 157.66.225.11, hosting a Zimbra client, with linked IPs 103.75.77.90 and 161.248.178.212 sharing SSL certificates under mail.catherinereynolds[.]info, indicating a cohesive malspam network.
QuirkyLoader exemplifies evolving loader tactics, blending .NET AOT compilation with rare ciphers and dynamic API resolution to deploy infostealers and RATs.
Organizations should block executable attachments, scrutinize unsolicited emails, maintain updated security solutions, and monitor outbound traffic for anomalies.
Vigilance over processes prone to hollowing is crucial. As threats persist, proactive threat intelligence remains key to countering such loaders.
Key Indicators of Compromise
| Indicator | Type | Context |
|---|---|---|
| 011257eb766f2539828bdd45f8aa4ce3c4048ac2699d988329783290a7b4a0d3 | File | QuirkyLoader DLL Module |
| catherinereynolds[.]info | Domain | Domain used for malspam campaign |
| 157.66.225.11 | IPv4 | IP resolving to malspam domain |
| 103.75.77.90 | IPv4 | Related IP with shared SSL cert |
| 161.248.178.212 | IPv4 | Related IP with shared SSL cert |
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
