Researchers have found a new type of malware that can steal credentials as soon as it gets onto a victim's network This article explores reliquest looked malware. . The malware uses a standalone stealer and a bad browser extension to get both saved passwords and live keystrokes.
ReliaQuest is keeping an eye on the malware called "DeepLoad." The people who made it are using the ClickFix social engineering method to spread the credential stealer in businesses. It also has a persistence mechanism that can run again and again without anyone knowing, even after the infected host looks completely clean. The security vendor said that the loader has so much padding that it probably wasn't written by a person, but rather by an AI model.
The security company found that the malware was writing more than 40 files to the USB drive of a compromised host. These files looked like Chrome setup files, Firefox installers, AnyDesk shortcuts, and other installers that people are used to seeing. DeepLoad makes a permanent trigger in Windows Management Instrumentation that starts the attack again and again without any user input.
In the case that ReliQuest looked into, the malware attacked again three days after the affected host seemed to be completely cleaned. ReliaQuest warned, "The signs of AI generation mean that there is a good chance that obfuscation will change from generic noise to padding that is specific to the environment it is used in."
It also said, "As WMI subscriptions are added to remediation checklists, the persistence mechanism is likely to shift to other legitimate Windows features that currently receive less attention." The company told businesses that were hit by DeepLoad to check and remove WMI event subscriptions on affected hosts before putting them back into production. They should also turn on PowerShell Script Block Logging and behavioral endpoint monitoring to look for bad behavior, since file-based scanning won't find the loader.
