A new malware loader known as DeepLoad has emerged, leveraging the ClickFix social engineering tactic to distribute itself. This malware is reported to employ sophisticated techniques, including AI-assisted obfuscation and process injection, to evade detection and initiate credential theft immediately.
Attack Vector and Initial Compromise
The attack begins with a ClickFix lure that deceives users into executing PowerShell commands. Victims are tricked into pasting commands into the Windows Run dialog under the guise of resolving a fictitious issue. This process utilizes mshta.exe, a legitimate Windows utility, to download and execute an obfuscated PowerShell loader.
Malware Evasion Techniques
DeepLoad is designed to blend in with normal Windows operations, hiding its payload within a legitimate executable named LockAppHost.exe, which manages the lock screen. The malware employs tactics such as disabling PowerShell command history and invoking core Windows functions directly to avoid detection by monitoring systems.
Additionally, DeepLoad generates a secondary component on-the-fly using the PowerShell Add-Type feature, which compiles and executes C# code. This results in a temporary Dynamic Link Library (DLL) file placed in the user’s Temp directory, making it difficult for security tools to detect it based on file names.
Credential Theft and Persistence
The primary function of DeepLoad is to facilitate the theft of browser credentials. It extracts passwords from browsers and installs a malicious browser extension that captures credentials entered on login pages. This extension persists across user sessions unless manually removed.
Moreover, DeepLoad can detect when removable media, such as USB drives, are connected and can replicate itself using deceptive file names like ChromeSetup.lnk and Firefox Installer.lnk. This allows the malware to spread further when unsuspecting users double-click these files.
Reinfection Mechanism
DeepLoad employs Windows Management Instrumentation (WMI) to reinfect a clean host three days post-infection without any user or attacker interaction. This technique disrupts the parent-child process chains that detection systems typically monitor and establishes a WMI event subscription to quietly execute the attack again.
The overall goal of DeepLoad appears to be the deployment of versatile malware capable of executing various malicious actions while evading detection. This includes avoiding the creation of detectable artifacts on disk, blending into legitimate Windows processes, and facilitating rapid propagation across systems.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
