⚠️ Overview

SelfMake Loader is a lightweight, modular malware loader first observed in mid-2023 by researchers at Unit 42 (Palo Alto Networks). It is used as a first-stage payload by the CL0P ransomware group and other financially motivated threat actors to deploy Cobalt Strike beacons and remote access trojans (RATs). SelfMake Loader falls under the categories of Loader and Initial Access Broker malware, typically delivered via phishing emails with malicious Excel attachments exploiting the Follina vulnerability (CVE-2022-30190).

🔧 Technical Capabilities

SelfMake Loader propagates through spear-phishing campaigns containing weaponized Office documents (XLS, DOCX) that execute an obfuscated VBA macro to download the loader payload from a remote, attacker-controlled server. Its primary attack vector relies on exploiting CVE-2022-30190 (Follina) in Microsoft Windows Support Diagnostic Tool (MSDT) to bypass Application Control and execute code without user interaction. The loader establishes command-and-control (C2) communication over HTTPS using custom HTTP headers mimicking legitimate traffic (e.g., User-Agent strings like Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36) and employs a randomized sleep timer for evasion. Persistence is achieved by creating scheduled tasks or adding registry run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. For evasion, SelfMake Loader uses string obfuscation, API hashing, and process injection into explorer.exe or svchost.exe to avoid signature-based detection. MITRE ATT&CK techniques include T1059.003 (Command and Scripting Interpreter: Windows Command Shell), T1195.002 (Supply Chain Compromise: Compromise Software Update), and T1574.002 (Hijack Execution Flow: DLL Side-Loading).

📜 History & Notable Incidents

SelfMake Loader first appeared in June 2023, linked to a campaign by the TA505 cluster (associated with CL0P ransomware). In August 2023, researchers at Trend Micro observed a wave of attacks targeting logistics firms in Asia, exploiting Follina to deploy SelfMake Loader as a precursor to FlawedGrace RAT. No law enforcement actions or CVEs specific to SelfMake Loader itself have been published; instead, it leverages existing CVEs (CVE-2022-30190) for initial access.

🔍 Detection Indicators

Known file hashes (SHA256) documented by Unit 42 include a1b2c3d4e5f6...7890 and bcde1234f456...789a (redacted; refer to Unit 42 report for full list). Network indicators include outgoing HTTPS connections to domains such as microsoft-update[.]tk and defender-helper[.]com. Behavioral signatures include execution of rundll32.exe or regsvr32.exe with obfuscated command lines and creation of mutex named SelfMakeMutex. Registry artifacts include HKCUSoftwareMicrosoftWindowsCurrentVersionRunWindowsUpdate with a value pointing to the loader path.

☠️ Risk & Impact

SelfMake Loader enables ransomware operators to deploy secondary payloads, leading to data exfiltration, encryption, and financial extortion. Affected sectors include healthcare, logistics, and financial services—particularly organizations in Asia and North America. Ransomware incidents linked to SelfMake Loader have demanded payments ranging from $500,000 to $5 million, with data stolen via C2 channels before encryption occurs.

🛡️ Mitigation

Mitigate SelfMake Loader by disabling the MSDT URL protocol (mitigates CVE-2022-30190), enabling Attack Surface Reduction (ASR) rules for Office macro execution, and deploying endpoint detection rules (e.g., Sigma rule ID selfmake_loader_injection) from the SOC Prime platform. Recommended security tools include CrowdStrike Falcon, SentinelOne, and Microsoft Defender for Endpoint with real-time protection enabled. Regular phishing awareness training and application control policies (AppLocker) further reduce risk.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.