Attackers began using pirated software sites and popular video platforms to distribute CountLoader and GachiLoader malicious downloads. This is reported by Anti-Malware.
According to analysts, the current campaign is built around CountLoader, a modular tool used as the first stage of multi-stage attacks. To get infected, you just need to try downloading a “cracked” version of the popular software. The user is redirected to the file hosting service, which contains an archive with additional encrypted content and documents with passwords. Once extracted, an executable file is launched, disguised as an installer, downloading malicious code from a remote server.
To gain a foothold in the system, CountLoader disguises itself as a system process that can be executed at high frequency for many years. The loader also analyzes installed security software, and when it detects individual solutions, it changes its behavior, reducing the risk of detection. Next, it collects information about the system and prepares to launch the next phase of the attack.
Experts note that the new version of CountLoader has expanded capabilities, including launching various file types, executing code in memory, delivering via USB drives, collecting detailed telemetry data, and erasing activity traces. In one documented case, the final payload was an ACR Stealer designed to steal sensitive data.
Check Point experts in turn reported another malicious campaign using GachiLoader, a downloader distributed through a network of hacked YouTube accounts. Attackers published videos with links to malicious “installers” for popular software. In total, about a hundred such videos were identified, which in total received more than 220 thousand views. Much of the content has been removed by Google.
GachiLoader has the ability to bypass security mechanisms, check administrative rights, and attempt to disable Microsoft Defender components. In one case, it was used to deliver the stolen Rhadamanthys.
