A recently discovered malware family capable of stealing credentials and of intercepting browser interactions has been distributed using the ClickFix technique, ReliaQuest reports.
Dubbed DeepLoad, the malware first emerged on a dark web cybercrime forum in early February, when ZeroFox saw it advertised as “a centralized panel for multiple types of malware”.
The threat was described as capable of replacing cryptocurrency wallet applications and browser extensions with fake variants, of stealing victims’ credentials, and of installing a fraudulent browser extension.
“DeepLoad’s design is explicitly focused on actively facilitating real-time cryptocurrency theft, which almost certainly makes it an attractive malware suite in the cybercrime-as-a-service (CaaS) environment,” ZeroFox said in February.
Now, ReliaQuest says it observed the first in-the-wild campaign distributing DeepLoad to Windows systems, through the infamous ClickFix technique.
As part of the campaign, the victims were served fake browser error messages instructing them to paste a command in Windows Run or a terminal to resolve a fake issue. The command resulted in the persistent execution of a PowerShell loader that dropped DeepLoad on the system.
The malware was seen generating the secondary component on the fly, in the form of a DLL dropped in the Temp directory. Compiled on every execution and dropped with a different file name, the DLL evades detection.
“The loader also wipes its own tracks by disabling PowerShell command history and calling Windows core functions directly instead of relying on PowerShell’s built-in commands, quietly sidestepping the most common monitoring hooks,” ReliaQuest notes.
To blend into trusted Windows activity, DeepLoad was injected inside the legitimate lock screen management process LockAppHost.exe using asynchronous procedure call (APC) injection.
ReliaQuest points out that this method allows the malware to evade detection because the injected process is typically not monitored by security tools, and because the payload is executed in memory without a decoded payload written to disk.
DeepLoad was designed to steal the victim’s credentials right from the start, through a standalone credential stealer executed alongside the main loader. Credential exfiltration is also separated from the loader’s command-and-control (C&C) communication.
Additionally, the malware would drop a rogue browser extension to intercept “everything a user does, putting everything from active logins and open tabs to session tokens and saved passwords at risk,” ReliaQuest notes.
The cybersecurity firm also observed the malware spreading via USB drives, although it could not determine whether the functionality was implemented inside DeepLoad or staged by its operator.
Related: Venom Stealer Raises Stakes With Continuous Credential Harvesting
Related: 900 Sangoma FreePBX Instances Infected With Web Shells
Related: ‘DKnife’ Implant Used by Chinese Threat Actor for Adversary-in-the-Middle Attacks
Related: VoidLink Linux Malware Framework Targets Cloud Environments
