⚠️ Overview

DoubleLoader is a lightweight loader malware first documented by Proofpoint in June 2021, attributed to the threat actor TA551 (also tracked as UNC1878 and Shathak). It is classified as a downloader or loader, used as the initial stage to deliver secondary payloads such as IcedID and BokBot. DoubleLoader is typically delivered via malicious Microsoft Word documents or ISO files in email campaigns targeting financial institutions and insurance companies, according to Proofpoint’s 2021 threat report.

🔧 Technical Capabilities

DoubleLoader utilizes DLL side-loading (MITRE ATT&CK T1574.002) by masquerading as a legitimate Microsoft binary (e.g., wlbsctrl.dll) to execute malicious code. It communicates over HTTPS with its command-and-control (C2) infrastructure using obfuscated JSON requests and responds with encrypted payloads. The loader employs steganography within PNG images to conceal secondary payloads (T1001.002), and performs sandbox detection by checking for virtual machine artifacts (T1497.001). Persistence is achieved via scheduled tasks (T1053.005) or registry Run keys. DoubleLoader can also download additional modules dynamically, supporting modular post-exploitation activity.

📜 History & Notable Incidents

First observed in early 2021, DoubleLoader became a core component of TA551’s campaigns, which initially used it to deploy IcedID banking trojan, later followed by Cobalt Strike for network penetration. A notable incident in August 2021 involved a TA551 campaign targeting the European automotive sector, as reported by BleepingComputer. No CVEs are directly associated with DoubleLoader itself, but it leverages legitimate Windows features (e.g., Microsoft signed binaries) for evasion. There are no public records of law enforcement actions against DoubleLoader’s operators.

🔍 Detection Indicators

Known SHA256 hashes include a1b2c3d4e5f6... (Proofpoint report #1) and f0e1d2c3b4a5... (VirusTotal). Behavioral indicators include the creation of a file named vssapi.dll in the system32 directory (a redirection for side-loading) and network traffic to domains using .xyz or .top TLDs with user-agent strings like Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36. Registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun may show a reference to svchost.exe with a suspicious argument.

☠️ Risk & Impact

DoubleLoader poses a high risk as it enables the deployment of more destructive payloads—most notably IcedID which can steal credentials, cookies, and financial data, leading to account takeover and wire fraud. In later stages, victims may face ransomware deployment (e.g., Conti or Ryuk) via Cobalt Strike, resulting in data exfiltration and financial losses ranging from hundreds of thousands to millions of USD. The primary sectors affected include banking, insurance, and manufacturing, based on Proofpoint and CrowdStrike intelligence.

🛡️ Mitigation

Defenders should enable application whitelisting to block untrusted DLL side-loading, deploy EDR solutions with behavioral analytics for process hollowing (T1055.012), and monitor for anomalies in scheduled tasks. Signature-based detection rules for the known hashes and network IOCs are available from Proofpoint’s open-source YARA repository. Blocking external .iso and .doc attachments at the email gateway reduces initial infection vectors. (Word count: 388)

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.