Pen testing
C2
DoomedLoader is a loader that delivers various malware to compromised Windows systems. First seen in June 2024 it’s an initial access tool that allows attackers to drop info stealers, ransomware or other malware. DoomedLoader is spread through phishing campaigns, email attachments or exploit kits to get a foothold in the system for further exploitation.
Deployment and Infection Vectors
DoomedLoader is spread through phishing emails with malicious attachments or links. These emails are designed to look like legitimate emails to trick the user into executing the loader. Once executed DoomedLoader will download and install additional malware on the system. The deployment is crafted to bypass security defenses using social engineering to trick the user into compromising their system.
Capabilities and Functionality
As a loader DoomedLoader’s main function is to download and execute secondary payloads. It will communicate with command and control (C2) servers to retrieve these payloads which can be data stealers or ransomware. DoomedLoader may also implement persistence mechanisms to stay on the system so the malicious activity will continue even after system reboots. The design is to facilitate the initial stages of the attack so more destructive malware can be dropped.
Evasion Techniques
DoomedLoader uses various evasion techniques to evade security solutions. These can include code obfuscation, encrypted communication with C2 servers and exploiting legitimate system processes to hide its activity. By using these techniques DoomedLoader increases the chances of infection and prolongs the time to detection and remediation.
There is limited publicly available information on specific variants of DoomedLoader. It has been seen in multiple campaigns so it may be adapted or customized by different threat actors to fit their needs. But detailed analysis of the different variants have not been done.
User Education: Educate users to recognize and report phishing and suspicious emails.
Email Filtering: Use email filtering solutions to detect and block malicious attachments and links.
Endpoint Protection: Deploy endpoint protection platforms that can detect and mitigate loader malware.
Regular Updates: Make sure all systems and software are up to date to patch vulnerabilities that DoomedLoader can exploit.
DoomedLoader doesn’t target specific industries or sectors. Its spread through mass phishing campaigns means it’s an opportunistic attack to compromise any vulnerable Windows system. So organizations and individuals across all sectors should be aware of DoomedLoader infection.
At the moment there is no attribution to specific threat actors. The malware is used in multiple campaigns so it could be used by multiple groups or individuals with different motives. The lack of unique identifiers makes it hard to link DoomedLoader to a specific actor or group.
