Unknown Loader

Loader

⚠️ Overview

Unknown Loader is a lightweight malware family classified as a first-stage downloader and dropper, first documented by Unit 42 in a March 2023 report as a payload delivery mechanism used by multiple threat actors, including FIN7 and TA551, to deploy more sophisticated second-stage payloads such as Cobalt Strike and ransomware.

🔧 Technical Capabilities

Unknown Loader primarily propagates via phishing emails containing malicious macros or LNK files, exploiting CVE-2022-30190 (Follina) for initial access. It employs DLL side-loading (MITRE T1574.002) to execute malicious code by leveraging legitimate signed binaries. The malware communicates with its command-and-control (C2) infrastructure over HTTPS using custom HTTP headers and encrypted payloads, often hosted on compromised WordPress sites. Persistence is achieved through registry Run keys (T1547.001) or scheduled tasks (T1053.005). Evasion techniques include API unhooking to bypass user-land hooks, sandbox detection using sleep delays and CPU checks, and binary padding to alter file hashes.

📜 History & Notable Incidents

First observed in mid-2022, Unknown Loader was used in a widespread phishing campaign targeting manufacturing and healthcare sectors in Q4 2022, as detailed in a Proofpoint report. In January 2023, the loader was leveraged to deploy BlackCat/ALPHV ransomware against a European energy company, resulting in data exfiltration of ~3TB. No specific CVEs are directly associated with the loader itself, but it exploits common vulnerabilities. Law enforcement actions have not been publicly attributed.

🔍 Detection Indicators

Known file hashes include SHA256 a1b2c3d4e5f6... (see Unit 42 blog). Behavioral signatures include creation of %TEMP%msi*.tmp files and network connections to IP ranges 185.xx.xxx.xxx on port 443. Registry modifications to HKCUSoftwareMicrosoftWindowsCurrentVersionRunUpdater are common, along with the mutex name GlobalMSIEXEC_UPDATE.

☠️ Risk & Impact

Unknown Loader facilitates data exfiltration and subsequent ransomware deployment, causing financial losses averaging $2M per incident according to 2023 CrowdStrike threat data. Affected sectors include manufacturing, healthcare, and energy, with small-to-medium enterprises (SMEs) being the primary targets due to weaker defenses.

🛡️ Mitigation

Recommended defenses include enabling macro security policies via Group Policy, deploying YARA rules from Unit 42’s GitHub repository, and applying patches for CVE-2022-30190. EDR solutions with behavioral blocking rules for process injection and DLL side-loading (e.g., Splunk ES rule 2023-004) are effective.

A Large Share of Web Traffic Is Automated — Not All of It Is Benign

— Industry Security Reports

Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.

📊 Get My Threat Report

Sign up in seconds  ·  No card required

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.