Exploring the Multi-Stage Attack Strategy of the FROZEN#SHADOW Campaign

An attack campaign known as FROZEN#SHADOW, identified by the Securonix Threat Research team, has been actively targeting individuals across Asia, Europe, and the Americas. This campaign utilizes SSLoad malware, delivered via phishing emails, to initiate a multi-stage attack that includes the deployment of Cobalt Strike and remote monitoring and management software such as ScreenConnect. These tools facilitate command-and-control operations and ensure sustained access to compromised hosts. According to Securonix, "SSLoad is designed to stealthily infiltrate systems, gather sensitive information, and transmit its findings back to its operators." By utilizing a combination of tools, the attackers were observed to move laterally through the network and take full control of the victim's Windows domain by establishing their own administrator account.

The attack begins with a JavaScript file using comment blocks to obscure its malicious intent, effectively lowering its entropy to evade antivirus detection. This script initiates several ActiveXObjects for interacting with network drives and the local file system on the victim’s machine. After mapping a network drive to a remote share, the script executes an MSI file, introducing the initial malware payload. Securonix notes this MSI file resembles the BazarBackdoor malware. Once executed, it downloads and activates the SSLoad malware payload, disguised as a benign DLL, and launched through rundll32.exe to mimic legitimate software operations.

Following installation, the malware undertakes extensive system reconnaissance, executing commands to collect detailed network configurations, system settings, and administrative group data. This information is sent back to the attackers' C2 servers. Adjusting tactics based on system responses ensures they are not operating on a decoy host such as a honeypot. A Cobalt Strike beacon is then deployed using rundll32.exe, facilitating encrypted C2 communications and further payload delivery. The attackers then deploy ScreenConnect to gain further control of the compromised system, enabling screen sharing and further lateral movement within the network. Using gathered credentials from lsass and exploiting domain trust relationships, the attackers use advanced PowerShell commandlets to explore network shares and sensitive files, ultimately gaining domain admin privileges and creating new accounts to persist within systems.