Full Report
Discover how MintsLoader operates as a stealthy, obfuscated malware loader distributing GhostWeaver, StealC, and BOINC. Read Recorded Future’s in-depth analysis of its evasion tactics, DGA-based C2s, and use in phishing and drive-by campaigns.
Analysis Summary
# Tool/Technique: MintsLoader
## Overview
MintsLoader is a malicious loader first observed in early 2024, utilized in phishing and drive-by download campaigns. Its primary purpose is to serve as a versatile delivery mechanism for deploying second-stage malware payloads, such as GhostWeaver, StealC, and a modified BOINC client. It employs a multi-stage infection chain relying on obfuscated JavaScript and PowerShell scripts.
## Technical Details
- Type: Malware (Loader)
- Platform: Likely Windows (inferred from PowerShell usage)
- Capabilities: Multi-stage infection, obfuscation, sandbox/VM evasion, DGA-based C2 communication.
- First Seen: As early as February 2024 (initial campaigns identified by Insikt Group based on SocGholish analysis).
## MITRE ATT&CK Mapping
* **TA0002 - Execution**
* T1059.001 - Command and Scripting Interpreter: PowerShell
* **TA0005 - Defense Evasion**
* T1027 - Obfuscated Files or Information
* T1497 - Virtualization/Sandbox Evasion
* **TA0011 - Command and Control**
* T1568.002 - Domain Generation Algorithms
## Functionality
### Core Capabilities
- **Multi-Stage Infection:** Initializes with an obfuscated JavaScript file (stage one), which retrieves and executes a second-stage PowerShell script (stage two).
- **Payload Delivery:** Commonly deploys GhostWeaver (primary payload), StealC, or a modified BOINC client.
- **C2 Communications:** Uses HTTP-based Command and Control (C2).
- **Dynamic Infrastructure:** Employs a Domain Generation Algorithm (DGA) based on the system date to generate new C2 domains daily, complicating infrastructure monitoring.
### Advanced Features
- **Anti-Analysis:** Implements sandbox and virtual machine evasion techniques within its secondary PowerShell script to bypass dynamic detection tools.
- **Obfuscation:** Persistent use of obfuscation in scripts to evade static analysis signatures (e.g., YARA rules).
- **Infrastructure Hardening:** Operators are shifting C2 infrastructure from anonymous VPS providers to bulletproof hosters (e.g., via SCALAXY-AS linked to Inferno Solutions) for increased resilience.
- **Naming Convention:** Distinctive use of the URL parameter `s=mints[NUMBER]` (e.g., `s=mints11`).
## Indicators of Compromise
* File Hashes: [Not explicitly detailed in the text]
* File Names: [Inferred from context, likely related to initial JS/PS droppers, or deployed payloads like GhostWeaver]
* Registry Keys: [Not specified]
* Network Indicators: C2 domains generated daily via DGA; IPs associated with AS44477 (Stark Industries Solutions Ltd), AS199959 (GWY IT Pty Ltd), and AS58061 (SCALAXY-AS).
* Behavioral Indicators: Execution of obfuscated JavaScript followed by PowerShell scripts; attempts to detect virtualization or sandboxing environments.
## Associated Threat Actors
- TAG-124 (also known as LandUpdate808) - Extensive users.
- SocGholish operators - Early adopters.
- Various other threat groups.
## Detection Methods
- Signature-based detection: Complicated due to persistent use of obfuscation.
- Behavioral detection: Challenged by anti-analysis techniques (sandbox/VM evasion).
- Threat Hunting: Crucial for identifying new DGA-generated C2 domains and tracking infrastructure shifts to bulletproof hosts.
## Mitigation Strategies
- Patching/Updating: Maintaining organizational hygiene against vulnerabilities exploited by initial vectors (phishing, drive-by downloads).
- Network Monitoring: Implementing advanced network monitoring to detect connections to newly generated DGA domains.
- Host Hardening: Employing tooling capable of detecting and blocking process execution that exhibits sandbox/VM evasion characteristics.
- Threat Intelligence: Utilizing services (like Recorded Future's) that actively hunt and provide updated C2 artifacts tracking the loader's dynamic infrastructure.
## Related Tools/Techniques
- **GhostWeaver:** Primary second-stage payload often deployed by MintsLoader. Note: GhostWeaver's self-signed X.509 certificates bear similarities to AsyncRAT certificates, leading to initial misclassification.
- **StealC**
- **BOINC client** (modified)
- **SocGholish:** Associated infection vector/threat group often used for initial delivery.
---
# Tool/Technique: GhostWeaver
## Overview
GhostWeaver is a malware payload frequently deployed as the second stage after successful infection by MintsLoader. While similar in certificate structure to AsyncRAT, it is a distinct backdoor.
## Technical Details
- Type: Malware (Backdoor/Payload)
- Platform: [Inferred: Windows]
- Capabilities: Communication via TLS with self-signed X.509 certificates; persistence/credential theft implied by its nature as a secondary payload.
- First Seen: Associated campaigns observed in 2024.
## MITRE ATT&CK Mapping
* **TA0011 - Command and Control**
* T1071.001 - Application Layer Protocol: Web Protocols (Implied, via TLS C2)
## Functionality
### Core Capabilities
- **C2 Authentication:** Uses TLS encryption secured by an obfuscated, self-signed X.509 certificate embedded directly within the preceding PowerShell script for client-side authentication to C2 infrastructure.
- **Delivery Chain:** Primarily delivered by MintsLoader.
### Advanced Features
- **Certificate Similarity:** Possesses self-signed X.509 certificates whose details (expiration dates, serial number lengths) resemble those used by AsyncRAT, causing initial misclassification by researchers.
## Indicators of Compromise
- File Hashes: SHA256: `fb0238b388d9448a6b36aca4e6a9e4fbcbac3afc239cb70251778d40351b5765` (This hash was initially misidentified as AsyncRAT).
- Network Indicators: C2 infrastructure utilized by MintsLoader.
## Associated Threat Actors
- Threat actors utilizing MintsLoader, notably TAG-124 (LandUpdate808).
## Detection Methods
- Detection is complicated by the similarity of its certificates to AsyncRAT artifacts, necessitating specific behavioral analysis differentiating it from AsyncRAT.
## Mitigation Strategies
- Monitoring for TLS initiation using embedded, self-signed certificates from known deployment chains.
## Related Tools/Techniques
- **AsyncRAT:** Malware family frequently confused with GhostWeaver due to overlapping certificate characteristics.
- **MintsLoader:** Primary dropper.