Malicious payloads distributed through ModernLoader implant

The Hacker News reports that malicious implant ModernLoader, also known as Avatar bot, has been leveraged by a Russian-speaking threat actor to deploy various malware in three separate but related campaigns between March and June 2022. Attacks using ModernLoader involve attack attempts on vulnerable WordPress and CPanel instances through files spoofing fake Amazon Gift cards, with an HTML Application file executing a PowerShell script for interim payload deployment being the initial stage payload, a report from Cisco Talos revealed. ModernLoader has also been leveraged as the main malware command-and-control server to facilitate the distribution of RedLine Stealer, SystemBC, XMRig, and DCRat malware, as well as a Discord token stealer, the report showed. "These campaigns portray an actor experimenting with different technology. The usage of ready-made tools shows that the actor understands the TTPs required for a successful malware campaign but their technical skills are not developed enough to fully develop their own tools," said researcher Vanja Svajcer.