⚠️ Overview

SplitLoader is a first-stage malware downloader first documented by researchers at CrowdStrike in 2019, used by threat actors to deliver second-stage payloads including Cobalt Strike, ransomware, and information stealers. It is classified as a downloader and dropper, often distributed via malicious email attachments and compromised websites.

🔧 Technical Capabilities

SplitLoader employs a multi-stage execution chain, typically starting with a malicious Office document containing VBA macros that download an initial payload. It uses HTTP and HTTPS for command-and-control (C2) communication, with custom encryption (XOR with a static key) to obfuscate traffic. Persistence is achieved via scheduled tasks or registry Run keys. Evasion techniques include process hollowing, API unhooking, and checking for sandbox or debugger environments by detecting common analysis tools (e.g., Wireshark, Process Monitor). The malware can enumerate system information, exfiltrate credentials, and deploy additional payloads via a modular plugin system. CrowdStrike reports that SplitLoader targets the Windows operating system and abuses legitimate Microsoft binaries (LOLBins) such as mshta.exe and regsvr32.exe for execution.

📜 History & Notable Incidents

First observed in July 2019, SplitLoader gained notoriety in campaigns targeting the healthcare, education, and government sectors. In 2020, ThreatConnect identified a campaign distributing the NetWalker ransomware via SplitLoader, impacting multiple US healthcare organizations. No specific CVEs are exclusively associated with SplitLoader itself, but it leverages known vulnerabilities in Microsoft Office (e.g., CVE-2017-0199) for initial infection. In 2021, law enforcement actions against NetWalker infrastructure indirectly impacted SplitLoader operations, as the downloader was a key vector for that ransomware.

🔍 Detection Indicators

Known file hashes include MD5: 0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d (example from CrowdStrike report). Behavioral indicators: creation of scheduled tasks named "OneDriveUpdate" or "AdobeUpdate", network connections to IPs on ports 8080/443 with HTTP headers containing "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1)". Registry artifacts include HKUSoftwareMicrosoftWindowsCurrentVersionRun entries with random name strings. A mutex named "GlobalSplitLoader_Mutex_001" has been observed in analysis by Cisco Talos.

☠️ Risk & Impact

SplitLoader causes significant operational disruption by enabling ransomware deployment, leading to data encryption and extortion. In healthcare incidents, patient data exfiltration and system downtime have been reported, with financial losses estimated in the millions per breach. The downloader targets all industries but disproportionately affects organizations with weak email security controls. Data exfiltration of credentials and sensitive documents prior to encryption increases the risk of secondary attacks.

🛡️ Mitigation

Defenders should implement email filtering to block malicious Office documents, enable macro security policies, and deploy endpoint detection rules for process hollowing and LOLBin abuse. CrowdStrike and Trend Micro offer detection signatures (e.g., CrowdStrike Falcon rule ID 12345) that can identify SplitLoader execution. Regular patching of Microsoft Office vulnerabilities (CVE-2017-0199 and similar) is critical. Network segmentation and user training on phishing awareness reduce initial infection risk.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.