Beware of PhantomLoader: A Powerful New Malware That Disguises itself as Antivirus
Cybersecurity firm Any.Run has conducted a comprehensive analysis of how some hackers are using an unknown loader called PhantomLoader to infect computers with SSLoad malware, a very powerful virus that has a great ability to go undetected by control and analysis tools. These two programs are combined with a phishing attack to trick the victim into downloading a Word file that contains malicious code.
PhantomLoader is a loader or malware that impersonates a DLL or .exe file, and installs as a file called "WINWORD.EXE" from the antivirus program "360 Total Security", which is a real program, but has been patched so that the virus can extract data from it. The loader is added to a legitimate DLL file by applying a binary patch to the file and using self-modification techniques to avoid detection, according to security analysts at Intezer.
From Any.Run they define it as follows: “What makes PhantomLoader unique is that it is added to be part of a legitimate DLL or executable of a known program by applying a binary patch to the DLL or executable and adding an auto-modification technique. . The latter decodes a piece of embedded code, which SSLoad then decodes and loads into memory.
On the other hand, SSLoad is a malware that has been programmed to have a great ability to remain unnoticed on the infected device. In fact, this malware is able to modify its behavior if it detects that other programs, such as antivirus software, are stopping or changing their processes to avoid detection.
- How can it infect your device?
First, the phishing email prompts the victim to download a malicious Word document. If the user executes it, it installs the PhantomLoader and SSLoad files on the computer.
Once the malware is able to install, SSLoad begins collecting information about the operating system and its configuration, in order to adapt to the environment and operate differently to ensure success on the user’s operating system. Once this is done, SSLoad connects to the hackers’ command and control (C2) server, using an encrypted connection that prevents network security tools from detecting suspicious activity.
Once a connection is established with the attackers' servers, they can use the channel to send more malware, steal data, or perform other activities of their interest on the infected computer.
The analysis of this malware reminds us once again of the importance of not downloading and running files on our computer that come from sources we do not know, as well as the need for antivirus software to be able to identify these new malware that have the ability to go unnoticed.