Cybersecurity experts have uncovered a new version of KoiLoader, a malicious software used to deploy harmful programs and steal sensitive data. The latest version, identified by eSentire’s Threat Response Unit (TRU), is designed to bypass security measures and infect systems without detection.
How the Attack Begins
The infection starts with a phishing email carrying a ZIP file named `chase_statement_march.zip`. Inside the ZIP folder, there is a shortcut file (.lnk) that appears to be a harmless document. However, when opened, it secretly executes a command that downloads more harmful files onto the system. This trick exploits a known weakness in Windows, allowing the command to remain hidden when viewed in file properties.
The Role of PowerShell and Scripts
Once the user opens the fake document, it triggers a hidden PowerShell command, which downloads two JScript files named `g1siy9wuiiyxnk.js` and `i7z1x5npc.js`. These scripts work in the background to:
- Set up scheduled tasks to run automatically.
- Make the malware seem like a system-trusted process.
- Download additional harmful files from hacked websites.
The second script, `i7z1x5npc.js`, plays a crucial role in keeping the malware active on the system. It collects system information, creates a unique file path for persistence, and downloads PowerShell scripts from compromised websites. These scripts disable security features and load KoiLoader into memory without leaving traces.
How KoiLoader Avoids Detection
KoiLoader uses various techniques to stay hidden and avoid security tools. It first checks the system’s language settings and stops running if it detects Russian, Belarusian, or Kazakh. It also searches for signs that it is being analyzed, such as virtual machines, sandbox environments, or security research tools. If it detects these, it halts execution to avoid exposure.
To remain on the system, KoiLoader:
• Exploits a Windows feature to bypass security checks.
• Creates scheduled tasks that keep it running.
• Uses a unique identifier based on the computer’s hardware to prevent multiple infections on the same device.
Once KoiLoader is fully installed, it downloads and executes another script that installs KoiStealer. This malware is designed to steal:
1. Saved passwords
2. System credentials
3. Browser session cookies
4. Other sensitive data stored in applications
Command and Control Communication
KoiLoader connects to a remote server to receive instructions. It sends encrypted system information and waits for commands. The attacker can:
• Run remote commands on the infected system.
• Inject malicious programs into trusted processes.
• Shut down or restart the system.
• Load additional malware.
This latest KoiLoader variant showcases sophisticated attack techniques, combining phishing, hidden scripts, and advanced evasion methods. Users should be cautious of unexpected email attachments and keep their security software updated to prevent infection.
