ACCORDING to ReliaQuest, the newly revealed DeepLoad malware is distributed via a ClickFix delivery chain and is capable of stealing credentials, installing a fraudulent browser extension, and spreading via USB drives. The campaign first in the wild targeted Windows systems, where a fake browser error message urged victims to run a command that launched a PowerShell loader, which then dropped DeepLoad.
The loader generates a secondary DLL on the fly in the Temp directory, with a different file name on each execution to help evade detection, and DeepLoad is injected into LockAppHost[.]exe using APC injection to blend with legitimate activity. Credential exfiltration is designed to occur from the outset, with the credential stealer running alongside the main loader and the C2 communications kept separate from the credential theft process.
The threat also includes the ability to drop a rogue browser extension to capture user activity and data, and ReliaQuest notes the malware can propagate via USB drives, though it is unclear whether this functionality is built into DeepLoad itself or staged by its operators.