A sophisticated new malware dubbed DeepLoad is posing a significant threat to enterprise networks, capable of achieving persistent access and stealing credentials through a multi-stage attack that evades common security measures. Discovered by ReliaQuest researchers, the DeepLoad campaign significantly raises the bar for cyber defenses by leveraging a deceptive user interaction, legitimate Windows utilities, and advanced evasion techniques, including AI-generated obfuscation.
The infection vector for DeepLoad starts with a social engineering tactic known as “ClickFix.” Attackers present users with a convincing fake browser error message, prompting them to paste a PowerShell command into the Windows Run dialog to resolve the perceived issue. This single command initiates a chain of events designed for stealth and persistence, immediately establishing a foothold that is difficult to eradicate.
AI-Powered Evasion and Advanced Persistence Techniques
DeepLoad’s effectiveness stems from its deliberate design to circumvent the security protocols that organizations widely rely upon. The malware’s initial PowerShell loader is heavily obfuscated, employing thousands of inconsequential variable assignments to mask its true functionality and appear as benign, albeit complex, script. Researchers assessing the malware believe that artificial intelligence played a role in generating this intricate obfuscation layer. This suggests that adversaries can rapidly generate new, variant payloads, outpacing defenders’ ability to create updated detection signatures.
Following the obfuscation, the loader utilizes PowerShell’s `Add-Type` feature to dynamically compile a C# injector directly in memory. This approach ensures that no decoded payload ever touches the disk, a critical evasion technique that bypasses file-based antivirus scans. The compiled injector then injects shellcode into a legitimate, trusted Windows process. In observed attacks, the malware targeted `LockAppHost.exe`, the Windows lock screen process, which is typically not monitored for outbound network activity by many security solutions, offering a discreet environment for malicious code execution.
The injection method employs Asynchronous Procedure Call (APC) injection, a technique that inserts code into the target process’s memory and triggers its execution upon resuming operations. This method ensures stealthy execution without leaving discernible traces on the filesystem, making immediate detection challenging.
Credential theft is a primary objective of the DeepLoad malware. Before the initial infection chain completes, the malware deploys a credential stealer named `filemanager.exe`. This component, designed to blend in with legitimate processes, operates on a separate command-and-control channel, continuing to exfiltrate data even if the primary loader is detected and blocked. Additionally, a malicious browser extension is installed, capable of intercepting passwords and session tokens as users input them, persisting across browsing sessions until manually removed. This extension poses a significant risk to user accounts and sensitive online data.
The rapid spread capabilities of DeepLoad are also a major concern. Within minutes of infecting a host system, the malware writes over 40 disguised installer files to any connected USB drives. These installers, presented as fake shortcuts for common applications like Chrome, Firefox, and AnyDesk, are designed to initiate a full infection on any system where the USB drive is subsequently inserted, enabling lateral movement across an organization’s network and beyond.
Compounding the difficulty of remediation, DeepLoad establishes a hidden Windows Management Instrumentation (WMI) event subscription during the initial compromise. This subscription operates independently of standard cleanup routines and can autonomously reinfect a system without any user interaction. In one documented instance, a WMI subscription reactivated the attack three days after the host system was believed to be clean, silently re-deploying `filemanager.exe` into the user’s Downloads folder, illustrating the DeepLoad malware’s persistent threat.
Security teams are advised to implement stringent monitoring and response protocols to counter this evolving threat. Enabling PowerShell Script Block Logging is crucial, as it captures decoded runtime commands and can bypass obfuscation layers. Thorough auditing and removal of all WMI event subscriptions on affected systems are essential before returning them to production to prevent self-reinfection. All credentials associated with compromised hosts, including saved passwords and active session tokens, must be rotated immediately. Furthermore, connected USB drives should be rigorously audited for malicious content before being reused. Endpoint security strategies should shift from purely file-based scanning to behavioral and runtime detection, leveraging EDR telemetry and memory scanning capabilities to identify and neutralize advanced threats like DeepLoad.
The ongoing evolution of malware like DeepLoad, particularly its use of AI-generated evasion and sophisticated persistence mechanisms, underscores the need for adaptive and proactive cybersecurity strategies. Organizations must remain vigilant and continuously update their defenses to stay ahead of emerging threats that aim to bypass conventional security measures.