Priya PatelTLDR:
- A multistage attack campaign called FROZEN#SHADOW is utilizing phishing emails to deliver malware SSLoad.
- This campaign involves the deployment of Cobalt Strike and the ConnectWise ScreenConnect software.
In a report shared with The Hacker News, researchers detailed the attack campaign, which targets organizations in Asia, Europe, and the Americas through phishing emails containing malicious links. These links lead to the retrieval of a JavaScript file that initiates the infection flow. The malware, SSLoad, infiltrates systems, deploys backdoors and payloads to maintain persistence, and avoids detection.
The attack involves two distribution methods for SSLoad—one using website contact forms with booby-trapped URLs, and another involving macro-enabled Word documents. The malware acts as a conduit for delivering Cobalt Strike, which is then used to install ScreenConnect, allowing threat actors to remotely commandeer the host. The attackers are observed pivoting to other systems in the network, eventually infiltrating the victim’s Windows domain by creating a domain administrator account.
This multi-stage attack highlights the sophistication and persistence of threat actors in targeting organizations worldwide. The level of access achieved by the attackers presents significant challenges for remediation, making it a costly and time-consuming process for affected organizations.
