A contemporary cyber campaign is using a deceptive method known as ClickFix to distribute a previously undocumented malware loader called DeepLoad, raising fresh concerns about newly engineered attack techniques.
Researchers from ReliaQuest report that the malware is designed with advanced evasion capabilities. It likely incorporates AI-assisted obfuscation to make analysis more difficult and relies on process injection to avoid detection by conventional security tools. Alarmingly, the malware begins stealing credentials almost immediately after execution, capturing passwords and active session data even if the initial infection stage is interrupted.
The attack chain starts with a ClickFix lure, where users are misled into copying and executing a PowerShell command via the Windows Run dialog. The instruction is presented as a solution to a problem that does not actually exist. Once executed, the command leverages “mshta.exe,” a legitimate Windows binary, to download and launch a heavily obfuscated PowerShell-based loader.
To conceal its true purpose, the loader’s code is filled with irrelevant and misleading variable assignments. This approach is believed to have been enhanced using artificial intelligence tools to generate complex obfuscation layers that can bypass static analysis systems.
DeepLoad is carefully engineered to blend into normal system behavior. It disguises its payload as “LockAppHost.exe,” a legitimate Windows process responsible for managing the system lock screen, making its activity less suspicious to both users and security tools.
The malware also attempts to erase traces of its execution. It disables PowerShell command history and avoids standard PowerShell functions. Instead, it directly calls underlying Windows system functions to execute processes and manipulate memory, effectively bypassing monitoring mechanisms that track PowerShell activity.
To further evade detection, DeepLoad dynamically creates a secondary malicious component. By using PowerShell’s Add-Type feature, it compiles C# code during runtime, generating a temporary Dynamic Link Library (DLL) file in the system’s Temp directory. Each time the malware runs, this DLL is created with a different name, making it difficult for security solutions to detect based on file signatures.
Another key technique used is asynchronous procedure call (APC) injection. This allows the malware to execute its payload within a legitimate Windows process without writing a fully decoded malicious file to disk. It achieves this by launching a trusted process in a suspended state, injecting malicious code into its memory, and then resuming execution.
DeepLoad’s primary objective is to steal user credentials. It extracts saved passwords from web browsers and deploys a malicious browser extension that intercepts login information as users type it into websites. This extension remains active across sessions unless it is manually removed.
The malware also includes a propagation mechanism. When it detects the connection of removable media such as USB drives, it copies malicious shortcut files onto the device. These files use deceptive names like “ChromeSetup.lnk,” “Firefox Installer.lnk,” and “AnyDesk.lnk” to appear legitimate and trick users into executing them.
Persistence is achieved through Windows Management Instrumentation (WMI). The malware sets up a mechanism that can reinfect a system even after it appears to have been cleaned, typically after a delay of several days. This technique also disrupts standard detection methods by breaking the usual parent-child process relationships that security tools rely on.
Overall, DeepLoad appears to be designed as a multi-functional threat capable of operating across several stages of a cyberattack lifecycle. Its abil
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: