37/68 Tuesday, January 28, 2025
Cybersecurity experts have issued a warning about the spreading MintsLoader malware campaign, which targets organizations in the energy, oil and gas, and legal sectors across the United States and Europe. MintsLoader is designed to deploy secondary malware, such as StealC, a data-stealing tool, and BOINC, an open-source computing platform that has been maliciously modified.
According to eSentire, MintsLoader uses PowerShell scripts to carry out attacks, which are delivered through phishing emails containing links to fake pages (such as ClickFix or KongTuke) or attached JScript files. The attack begins when users click on the email links, redirecting them to a page displaying a fake CAPTCHA verification. This tricks victims into copying and executing malicious PowerShell scripts, which download MintsLoader onto the system. The malware then deletes itself to cover its tracks before contacting command-and-control (C2) servers for further instructions and evasion. The campaign employs a Domain Generation Algorithm (DGA) to create dynamic C2 domains that change daily, making detection more difficult. Additionally, MintsLoader assesses target systems to evade sandbox environments and analysis tools.
The campaign is also linked to the development of a new version of JinxLoader, known as Astolfo Loader (or Jinx V3), which has been rewritten in C++ for enhanced efficiency. This development stems from the original JinxLoader code being sold on hacker forums. Another concerning campaign is GootLoader, which uses search engine optimization (SEO) manipulation to lure victims to fake websites hosted on compromised WordPress platforms. Victims are redirected to these sites to download malicious files. Sophos has reported that GootLoader selectively targets IP addresses and blocks repeat visits within 24 hours, often leaving website owners unaware that their pages have been altered.
Source https://thehackernews.com/2025/01/mintsloader-delivers-stealc-malware-and.html
