BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

SSLoad

ssload
109
Global rank
93 infographic chevron month
Month rank
114 infographic chevron week
Week rank
0
IOCs

SSLoad is a malicious loader or downloader that is used to infiltrate target systems through phishing emails, perform reconnaissance and transmit it back to its operators delivering malicious payloads. To avoid detection, SSLoad employs various encryption methods and delivery techniques highlighting its versatile nature and complexity. It is believed to be a part of Malware-as-a-Service (MaaS) operation given its diverse delivery methods and implemented techniques.

Loader
Type
Unknown
Origin
1 January, 2024
First seen
12 September, 2024
Last seen

How to analyze SSLoad with ANY.RUN

Loader
Type
Unknown
Origin
1 January, 2024
First seen
12 September, 2024
Last seen

IOCs

IP addresses
23.95.209.148
Domains
23-95-209-148-host.colocrossing.com
bjsdg0.pintaexoticfashion.co.in
l1-03.winupdate.us.to
t0talwar.screenconnect.com
tjx-usa.com
Last Seen at
12 September, 2024
Malicious activity
4c380b1c9202405487e7b5926d6c571d7aa2d2db94467aaef78e383f53a768ba
evasion
ssload
17 August, 2024
Malicious activity
phantom_loader.bin
evasion
ssload
17 August, 2024
Malicious activity
phantom_loader.bin
evasion
ssload
8 August, 2024
Malicious activity
3bca1dcaef4430272b9029c9a4bc8be0d45ecff66e8de8679ed30d8afab00f6f.dll
evasion
ssload
5 July, 2024
Malicious activity
3bca1dcaef4430272b9029c9a4bc8be0d45ecff66e8de8679ed30d8afab00f6f.dll
evasion
ssload
loader
backdoor
1 July, 2024
Malicious activity
2024-04-18-SSLoad-DLL.bin
telegram
ssload
loader
backdoor
evasion
20 June, 2024
Malicious activity
815471c1c6f508bdbca888de437d7368385fa9943e61faf956e0f17c22b728c5.dll
ssload
loader
backdoor
12 June, 2024
Malicious activity
Incident_Harassment.doc
macros
macros-on-close
evasion
ssload
loader
backdoor
12 June, 2024
Malicious activity
forcedelctl.dll
evasion
ssload
loader
backdoor
12 June, 2024
Malicious activity
avp.msi
ssload
loader
backdoor
evasion
TRACK THEM ALL AT
Public Submissions
Last Seen at
12 September, 2024
Malicious activity
4c380b1c9202405487e7b5926d6c571d7aa2d2db94467aaef78e383f53a768ba
evasion
ssload
17 August, 2024
Malicious activity
phantom_loader.bin
evasion
ssload
17 August, 2024
Malicious activity
phantom_loader.bin
evasion
ssload
8 August, 2024
Malicious activity
3bca1dcaef4430272b9029c9a4bc8be0d45ecff66e8de8679ed30d8afab00f6f.dll
evasion
ssload
5 July, 2024
Malicious activity
3bca1dcaef4430272b9029c9a4bc8be0d45ecff66e8de8679ed30d8afab00f6f.dll
evasion
ssload
loader
backdoor
1 July, 2024
Malicious activity
2024-04-18-SSLoad-DLL.bin
telegram
ssload
loader
backdoor
evasion
20 June, 2024
Malicious activity
815471c1c6f508bdbca888de437d7368385fa9943e61faf956e0f17c22b728c5.dll
ssload
loader
backdoor
12 June, 2024
Malicious activity
Incident_Harassment.doc
macros
macros-on-close
evasion
ssload
loader
backdoor
12 June, 2024
Malicious activity
forcedelctl.dll
evasion
ssload
loader
backdoor
12 June, 2024
Malicious activity
avp.msi
ssload
loader
backdoor
evasion
TRACK THEM ALL AT
Public Submissions

Recent blog posts

post image
New PhantomLoader Malware Distributes SSLoad:...
watchers 640
comments 0
post image
Release Notes: Safebrowsing, Private AI Assis...
watchers 1127
comments 0
post image
TI Lookup: Real-World Use Cases from a Malwa...
watchers 1140
comments 0

Contents

  • What is SSLoad malware?
  • SSLoad malware technical details
  • Ssload execution process
  • SSLoad malware distribution methods
  • Conclusion

Recent blog posts

post image
New PhantomLoader Malware Distributes SSLoad:...
watchers 640
comments 0
post image
Release Notes: Safebrowsing, Private AI Assis...
watchers 1127
comments 0
post image
TI Lookup: Real-World Use Cases from a Malwa...
watchers 1140
comments 0

What is SSLoad malware?

SSLoad is a malware loader known for its complex attack techniques. Its delivery methods and infiltration techniques vary with each deployment, making it challenging for malware hunters to detect.

This loader has been active since January 2024. Recent reports indicate that SSLoad has been used to deploy Cobalt Strike, a popular adversary simulation software often utilized for post-exploitation activities. In one of campaigns, the attackers employed the DLL side-loading technique, involving a decoy Word document that delivers the SSLoad DLL.

Another reported attack utilized an MSI installer distributed via a phishing email that redirected victims to a fake Azure page. From there, a JavaScript script was downloaded, which in turn downloaded the MSI installer, eventually loading the SSLoad payload.

Get started today for free

Easily analyze emerging malware with ANY.RUN interactive online sandbox

Register for free

SSLoad malware technical details

SSLoad’s primary function is to download and execute additional malicious payloads on the compromised system.

Some of the key capabilities of SSLoad malware include:

  • Collecting detailed information about the infected system, such as hardware specifications, software versions, and network details.
  • Transmitting detailed system information to attackers.
  • Maintaining long-term access through registry modifications, scheduled tasks, or DLL side-loading.
  • Using obfuscation, in-memory execution, and checking for virtual environments to evade detection.
  • Communicating with its C2 server via encrypted HTTP/HTTPS protocols to receive commands and download further payloads.

Early versions of SSLoad malware initially connected to a Telegram channel named "SSLoad" using the first-stage DLL to retrieve an additional URL.

Upon establishing this connection, the malware would download a compressed PE file, utilizing specific User-Agent and Content-Type headers over HTTP. The downloaded file was then decompressed and executed directly in memory, bypassing traditional disk-based detection methods.

Since its inception, SSLoad has undergone several updates, evolving its command-and-control (C2) communication strategies and altering the supporting executables used to load the malware.

Recent versions of SSLoad avoid the first-stage DLL and load the malware directly into the victim’s machine, making detection even more challenging.

Infectious files used by the attackers come in different formats, including compressed archives (e.g., ZIP, RAR), executables (.exe, .bat), documents (e.g., PDF, Microsoft Office files), and scripts such as JavaScript.

Once a user opens, runs, or interacts with one of these malicious files, the infection chain is triggered, leading to the deployment of SSLoad and other associated malware.

Ssload execution process

The execution chain of SSLoad malware involves a series of steps designed to infiltrate systems, gather intelligence, and deploy additional payloads. SSLoad is often delivered through phishing emails containing malicious attachments.

One of the common methods includes a decoy Word document. Let’s run a sample in the ANY.RUN sandbox to observe this method.

SSload report in ANY.RUN Malicious Word document analyzed in ANY.RUN sandbox

When opened, you can notice how the Word document executes a DLL file associated with SSLoad.

Another approach involves a phishing email that directs users to a fake Azure page, leading to the download of a JavaScript file, which then downloads an MSI installer containing the SSLoad payload.

Let’s run another sample of the SSLoad malware in the ANY.RUN sandbox to observe this execution method: MSI installer containing SSLoad malware:

SSload report in ANY.RUN SSLoad process graph with MSI installer in ANY.RUN

The MSI installer plays a crucial role in the execution chain. Upon execution, it initiates a series of actions that deploy the SSLoad payload. This installer is designed to execute specific custom actions that facilitate the malware's installation and operation on the victim's machine. Once the MSI installer is run, it extracts and executes the SSLoad payload, typically a Rust-based executable.

The payload first checks for existing instances of itself on the machine by creating a mutex. If the mutex is found, the malware ceases execution to avoid running multiple instances. After confirming it is the only instance running, SSLoad conducts reconnaissance to gather information about the infected system, transmitting this data back to its operators. SSLoad can deliver further payloads, such as Cobalt Strike, which is used for lateral movement and further exploitation within the network.

SSLoad employs various techniques to evade detection and analysis. For instance, it checks the Process Environment Block (PEB) for the BeingDebugged flag, which indicates if the process is being monitored. If it detects debugging, it can alter its behavior to avoid analysis.

The SSLoad malware may also use the Task Scheduler for time-based evasion, such as delaying execution until a specific time or event. You can run the sample and analyze its behavior here: DLL file execution:

SSload report in ANY.RUN SSLoad process graph with DLL file in ANY.RUN

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

SSLoad malware distribution methods

Similar to other loaders, like PrivateLoader and GuLoader, cybercriminals may use a variety of methods to spread SSLoad. Phishing and social engineering are the primary tactics, where malware is often disguised as or bundled with seemingly legitimate content to trick users into downloading and executing it.

Key methods include:

  • Phishing emails: Malicious links or attachments in emails that appear to be from trusted sources.
  • Malicious attachments: Files like Word documents, PDFs, or Excel sheets that execute SSLoad when opened.
  • Compromised websites: Sites that trick users into downloading SSLoad.
  • Malicious scripts: JavaScript or other scripts that download and execute SSLoad when triggered.
  • File bundling: SSLoad is bundled with seemingly harmless software or cracked applications, installing when these are run.

Conclusion

SSLoad is a stealthy and malicious loader that poses a significant detection challenge due to its varied distribution methods and sophisticated infiltration techniques.

ANY.RUN is a powerful cloud-based service that enables safe analysis of malicious files, including those infected with SSLoad. It provides a secure environment to observe malware behavior and collect indicators of compromise (IOCs). By using ANY.RUN, you can gain valuable insights into SSLoad’s deployment tactics and strengthen your defenses against it.

Sign up for your free ANY.RUN account today!

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More