Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

SSLoad

116
Global rank
105 infographic chevron month
Month rank
120 infographic chevron week
Week rank
0
IOCs

SSLoad is a malicious loader or downloader that is used to infiltrate target systems through phishing emails, perform reconnaissance and transmit it back to its operators delivering malicious payloads. To avoid detection, SSLoad employs various encryption methods and delivery techniques highlighting its versatile nature and complexity. It is believed to be a part of Malware-as-a-Service (MaaS) operation given its diverse delivery methods and implemented techniques.

Loader
Type
Unknown
Origin
1 January, 2024
First seen
1 December, 2024
Last seen

How to analyze SSLoad with ANY.RUN

Type
Unknown
Origin
1 January, 2024
First seen
1 December, 2024
Last seen

IOCs

IP addresses
85.239.53.219
23.95.209.148
Domains
23-95-209-148-host.colocrossing.com
bjsdg0.pintaexoticfashion.co.in
l1-03.winupdate.us.to
t0talwar.screenconnect.com
tjx-usa.com
Last Seen at

Recent blog posts

post image
Access and Use ANY.RUN’s TI Feeds via MISP
watchers 269
comments 0
post image
Analysis of Nova: A Snake Keylogger Fork
watchers 1412
comments 0
post image
Manufacturing Companies Targeted with New Lum...
watchers 1848
comments 0

What is SSLoad malware?

SSLoad is a malware loader known for its complex attack techniques. Its delivery methods and infiltration techniques vary with each deployment, making it challenging for malware hunters to detect.

This loader has been active since January 2024. Recent reports indicate that SSLoad has been used to deploy Cobalt Strike, a popular adversary simulation software often utilized for post-exploitation activities. In one of campaigns, the attackers employed the DLL side-loading technique, involving a decoy Word document that delivers the SSLoad DLL.

Another reported attack utilized an MSI installer distributed via a phishing email that redirected victims to a fake Azure page. From there, a JavaScript script was downloaded, which in turn downloaded the MSI installer, eventually loading the SSLoad payload.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

SSLoad malware technical details

SSLoad’s primary function is to download and execute additional malicious payloads on the compromised system.

Some of the key capabilities of SSLoad malware include:

  • Collecting detailed information about the infected system, such as hardware specifications, software versions, and network details.
  • Transmitting detailed system information to attackers.
  • Maintaining long-term access through registry modifications, scheduled tasks, or DLL side-loading.
  • Using obfuscation, in-memory execution, and checking for virtual environments to evade detection.
  • Communicating with its C2 server via encrypted HTTP/HTTPS protocols to receive commands and download further payloads.

Early versions of SSLoad malware initially connected to a Telegram channel named "SSLoad" using the first-stage DLL to retrieve an additional URL.

Upon establishing this connection, the malware would download a compressed PE file, utilizing specific User-Agent and Content-Type headers over HTTP. The downloaded file was then decompressed and executed directly in memory, bypassing traditional disk-based detection methods.

Since its inception, SSLoad has undergone several updates, evolving its command-and-control (C2) communication strategies and altering the supporting executables used to load the malware.

Recent versions of SSLoad avoid the first-stage DLL and load the malware directly into the victim’s machine, making detection even more challenging.

Infectious files used by the attackers come in different formats, including compressed archives (e.g., ZIP, RAR), executables (.exe, .bat), documents (e.g., PDF, Microsoft Office files), and scripts such as JavaScript.

Once a user opens, runs, or interacts with one of these malicious files, the infection chain is triggered, leading to the deployment of SSLoad and other associated malware.

Ssload execution process

The execution chain of SSLoad malware involves a series of steps designed to infiltrate systems, gather intelligence, and deploy additional payloads. SSLoad is often delivered through phishing emails containing malicious attachments.

One of the common methods includes a decoy Word document. Let’s run a sample in the ANY.RUN sandbox to observe this method.

SSload report in ANY.RUN Malicious Word document analyzed in ANY.RUN sandbox

When opened, you can notice how the Word document executes a DLL file associated with SSLoad.

Another approach involves a phishing email that directs users to a fake Azure page, leading to the download of a JavaScript file, which then downloads an MSI installer containing the SSLoad payload.

Let’s run another sample of the SSLoad malware in the ANY.RUN sandbox to observe this execution method: MSI installer containing SSLoad malware:

SSload report in ANY.RUN SSLoad process graph with MSI installer in ANY.RUN

The MSI installer plays a crucial role in the execution chain. Upon execution, it initiates a series of actions that deploy the SSLoad payload. This installer is designed to execute specific custom actions that facilitate the malware's installation and operation on the victim's machine. Once the MSI installer is run, it extracts and executes the SSLoad payload, typically a Rust-based executable.

The payload first checks for existing instances of itself on the machine by creating a mutex. If the mutex is found, the malware ceases execution to avoid running multiple instances. After confirming it is the only instance running, SSLoad conducts reconnaissance to gather information about the infected system, transmitting this data back to its operators. SSLoad can deliver further payloads, such as Cobalt Strike, which is used for lateral movement and further exploitation within the network.

SSLoad employs various techniques to evade detection and analysis. For instance, it checks the Process Environment Block (PEB) for the BeingDebugged flag, which indicates if the process is being monitored. If it detects debugging, it can alter its behavior to avoid analysis.

The SSLoad malware may also use the Task Scheduler for time-based evasion, such as delaying execution until a specific time or event. You can run the sample and analyze its behavior here: DLL file execution:

SSload report in ANY.RUN SSLoad process graph with DLL file in ANY.RUN

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

SSLoad malware distribution methods

Similar to other loaders, like PrivateLoader and GuLoader, cybercriminals may use a variety of methods to spread SSLoad. Phishing and social engineering are the primary tactics, where malware is often disguised as or bundled with seemingly legitimate content to trick users into downloading and executing it.

Key methods include:

  • Phishing emails: Malicious links or attachments in emails that appear to be from trusted sources.
  • Malicious attachments: Files like Word documents, PDFs, or Excel sheets that execute SSLoad when opened.
  • Compromised websites: Sites that trick users into downloading SSLoad.
  • Malicious scripts: JavaScript or other scripts that download and execute SSLoad when triggered.
  • File bundling: SSLoad is bundled with seemingly harmless software or cracked applications, installing when these are run.

Conclusion

SSLoad is a stealthy and malicious loader that poses a significant detection challenge due to its varied distribution methods and sophisticated infiltration techniques.

ANY.RUN is a powerful cloud-based service that enables safe analysis of malicious files, including those infected with SSLoad. It provides a secure environment to observe malware behavior and collect indicators of compromise (IOCs). By using ANY.RUN, you can gain valuable insights into SSLoad’s deployment tactics and strengthen your defenses against it.

Sign up for your free ANY.RUN account today!

HAVE A LOOK AT

Meduza Stealer screenshot
Meduza Stealer is an information-stealing malware primarily targeting Windows systems, designed to harvest sensitive data such as login credentials, browsing histories, cookies, cryptocurrency wallets, and password manager data. It has advanced anti-detection mechanisms, allowing it to evade many antivirus programs. The malware is distributed through various means, including phishing emails and malicious links. It’s marketed on underground forums and Telegram channels.
Read More
MetaStealer screenshot
MetaStealer
metastealer
MetaStealer is an info-stealing malware primarily targeting sensitive data like login credentials, payment details, and browser history. It typically infects systems via phishing emails or malicious downloads and can exfiltrate data to a command and control (C2) server. MetaStealer is known for its stealthy techniques, including evasion and persistence mechanisms, which make it difficult to detect. This malware has been actively used in various cyberattacks, particularly for financial theft and credential harvesting from individuals and organizations.
Read More
Virlock screenshot
Virlock
virlock
Virlock is a unique ransomware strain that combines encryption capabilities with file infection techniques. First observed in 2014, it stands out due to its polymorphic nature and ability to embed its code into compromised files, ensuring continued propagation. Once it infects a system, it encrypts files and locks the screen, demanding a ransom for file recovery and system access.
Read More
WhiteSnake screenshot
WhiteSnake
whitesnake
WhiteSnake is a stealer with advanced remote access capabilities. The attackers using this malicious software can control infected computers and carry out different malicious activities, including stealing sensitive files and data, recording audio, and logging keystrokes. WhiteSnake is sold on underground forums and often spreads through phishing emails.
Read More
Razr screenshot
Razr
razr
Razr is a destructive ransomware that infiltrates systems to encrypt files, rendering them inaccessible to users. It appends the ".razr" extension to the encrypted files and drops a ransom note, typically named "README.txt," instructing victims on how to pay the ransom to obtain the decryption key. The malware often spreads through phishing emails with malicious attachments or by exploiting vulnerabilities in software and operating systems. Razr employs strong encryption algorithms, making it challenging to decrypt files without the attackers' key.
Read More
Black Basta screenshot
Black Basta
blackbasta
Black Basta is a ransomware-as-a-service operated by Storm-1811. It emerged in 2022 and uses double extortion tactics, encrypting data and stealing it for ransom. The malware often gains access through spear-phishing and uses tools like QakBot and Cobalt Strike. It's known for exploiting system vulnerabilities and using advanced obfuscation techniques.
Read More