New DeepLoad Malware Discovered in Recent ClickFix Cyber Attacks

Post Views: 10

DeepLoad Malware Campaign Uses ClickFix Technique to Distribute Malicious Software

In a recent development, a newly identified malware family known as DeepLoad has been observed being distributed using the ClickFix technique, according to a report by ReliaQuest. This malware is capable of stealing credentials and intercepting browser interactions.

According to ReliaQuest, “This malware first emerged on a dark web cybercrime forum in early February, where it was advertised as a centralized panel for multiple types of malware.”

This malware is capable of replacing cryptocurrency wallet applications and browser extensions with fake variants, stealing victims’ credentials, and installing a fraudulent browser extension.
The threat was described as capable of stealing credentials and intercepting browser interactions.

Campaign Distribution Method

ReliaQuest observed the first in-the-wild campaign distributing DeepLoad to Windows systems, utilizing the infamous ClickFix technique. In this campaign, victims were presented with fake browser error messages instructing them to paste a command in Windows Run or a terminal to resolve a fake issue.

The command resulted in the persistent execution of a PowerShell loader that dropped DeepLoad on the system.

This loader generates a secondary component on the fly, in the form of a DLL dropped in the Temp directory. This DLL is compiled on every execution and dropped with a different file name, making it difficult to detect.
The loader also wipes its own tracks by disabling PowerShell command history and calling Windows core functions directly instead of relying on PowerShell’s built-in commands, quietly sidestepping the most common monitoring hooks.

Evasion Techniques

To blend in with trusted Windows activity, DeepLoad injects itself inside the legitimate lock screen management process LockAppHost.exe using asynchronous procedure call (APC) injection.

This method allows the malware to evade detection because the injected process is typically not monitored by security tools, and because the payload is executed in memory without a decoded payload written to disk.

Credential Stealing and Rogue Browser Extension

DeepLoad is designed to steal the victim’s credentials right from the start, through a standalone credential stealer executed alongside the main loader.

Credential exfiltration is also separated from the loader’s command-and-control (C&C) communication.
The malware drops a rogue browser extension to intercept “everything a user does, putting everything from active logins and open tabs to session tokens and saved passwords at risk.”

Spread via USB Drives

Additionally, the malware spreads via USB drives, although it is unclear whether this functionality is implemented within DeepLoad or staged by its operator.