“Frozen Shadow” Attacks Perform Network Domain Takeover Worldwide

A meticulously executed campaign dubbed “Frozen Shadow” by Securonix researchers has been unveiled. Utilizing SSLoad malware, along with tools such as Cobalt Strike and ScreenConnect RMM software, attackers have managed to infiltrate and dominate entire network domains across multiple continents.

Frozen Shadow details

The initial breach is executed through phishing emails that distribute a JavaScript file from the mmtixmm[.]org URL. This script, named out_czlrh.js, utilizes heavy obfuscation techniques to bypass antivirus software. The obfuscation involves inserting massive blocks of comments to mask the real code, reducing the file's entropy and making it appear benign.

After the initial breach, the attackers install RMM software and Cobalt Strike implants. These tools facilitate lateral movement within the network, eventually leading to the complete takeover of the Windows domain by creating a new admin account.

The victimology, according to Securonix, suggests a random selection of targets, with affected organizations spread across Asia, Europe, and the Americas. The main goal of this campaign appears to be a complete network domain takeover, allowing the attackers unprecedented access to sensitive information and system control.

The Frozen Shadow attack phases are summarized as follows:

• Victims receive a phishing email containing a link to download the JavaScript file, which sets the stage for the attack.
• SSLoad malware, together with Cobalt Strike implants and ScreenConnect software, is installed to facilitate deep system access and control.
• The malware communicates with multiple C2 servers, signaling successful infiltration and readiness to receive further malicious commands.
• Attackers move laterally within the network, leveraging Cobalt Strike for persistent C2 communication and deploying RMM software to maintain control.
• Ultimately, the attackers achieve their goal by creating a new domain admin account, granting them full administrative privileges over the network.

The complexity and stealth of the Frozen Shadow campaign highlight the sophistication of modern cyber adversaries. They utilize a combination of phishing, malware, and legitimate administrative tools to achieve their goals, underscoring the need for comprehensive security measures:

Organizations are advised to enhance phishing awareness and training to recognize and report suspicious emails, implement strict download and execution restrictions, especially from unknown external sources, and ensure robust endpoint and network monitoring to detect and respond to suspicious activities promptly.