QuirkyLoader Delivers Infostealers and RATs to Multiple Global Entities

Executive Summary

Since November 2024, IBM X-Force has been tracking QuirkyLoader, a new malware loader actively used to deliver a variety of well-known payloads, including keyloggers and Remote Access Trojans (RATs). This multi-stage infection begins with a malicious email attachment that exploits dynamic-link library (DLL) side-loading to execute a hidden malicious DLL. The loader, consistently written in C# .NET with ahead-of-time (AOT) compilation, uses sophisticated methods such as process hollowing and a rare encryption cipher to evade detection before injecting the final payload. Recent campaigns have been observed targeting organizations in Taiwan, demonstrating its global reach.

Community Impact

The retail and hospitality sectors are at a heightened risk from QuirkyLoader due to its primary delivery method: malicious email attachments containing keyloggers and RATs. A successful infection could lead to the theft of employee and customer credentials, financial data, and sensitive internal information. As such, RH-ISAC Core Members are recommended to review the intelligence included in this report, the original intelligence report, and review and ingest the Indicators of Compromise, included below.

Analysis

QuirkyLoader utilizes a sophisticated and deceptive infection chain that begins with a malicious archive attached to a spam email. The archive contains a legitimate executable and a malicious DLL. When the user launches the legitimate file, it triggers a DLL side-loading attack, which in turn executes the hidden, malicious DLL. This DLL is notable for being consistently written in C# .NET and compiled using ahead-of-time (AOT) compilation, a technique that makes the resulting binary appear as though it were written in C or C++, effectively disguising its true nature to security software. The loader then decrypts a final payload using methods like the uncommon Speck-128 cipher with CTR mode. To further evade detection, it performs process hollowing, dynamically resolving Win32 APIs to inject the final payload into a legitimate, suspended process, such as AddInProcess32.exe or aspnet_wp.exe, before resuming its execution. Some of the well-known malware families that use QuirkyLoader include:

Indicators of Compromise

IBM X-Force has provided the following Indicators of Compromise associated with QuirkyLoader:

Indicator

Indicator Type

Context

011257eb766f2539828bdd45
f8aa4ce3c4048ac2699d9883
29783290a7b4a0d3

File

QuirkyLoader DLL Module

0ea3a55141405ee0e2dfbf33
3de01fe93c12cf34555550e4f
7bb3fdec2a7673b

File

QuirkyLoader DLL Module

a64a99b8451038f2bbcd32
2fd729edf5e6ae0eb70a244
e342b2f8eff12219d03

File

QuirkyLoader DLL Module

9726e5c7f9800b36b671b06
4e89784fb10465210198fbbb
75816224e85bd1306

File

QuirkyLoader DLL Module

a1994ba84e255eb02a6140c
ab9fc4dd9a6371a84b1dd631
bd649525ac247c111

File

QuirkyLoader DLL Module

d954b235bde6ad02451cab
6ee1138790eea569cf8fd0b
95de9dc505957c533cd

File

Sample email of QuirkyLoader

5d5b3e3b78aa25664fb2bfdb
f061fc1190310f5046d969adab
3e7565978b96ff

File

Sample email of QuirkyLoader

6f53c1780b92f3d5affcf095ae
0ad803974de6687a4938a2e
1c9133bf1081eb6

File

Sample email of QuirkyLoader

ea65cf2d5634a81f37d3241a7
7f9cd319e45c1b13ffbaf5f8a63
7b34141292eb

File

Sample email of QuirkyLoader

1b8c6d3268a5706fb41ddfff99
c8579ef029333057b911bb490
5e24aacc05460

File

Sample email of QuirkyLoader

d0a3a1ee914bcbfcf709d36741
7f8c85bd0a22d8ede0829a66
e5be34e5e53bb9

File

Sample email of QuirkyLoader

b22d878395ac2f2d927b78b16
c9f5e9b98e006d6357c98dbe
04b3fd78633ddde

File

Sample email of QuirkyLoader

a83aa955608e9463f272adca
205c9e1a7cbe9d1ced1e10c9d
517b4d1177366f6

File

Sample email of QuirkyLoader

3391b0f865f4c13dcd9f08c6d3e
3be844e89fa3afbcd95b5d1a1c
5abcacf41f4

File

Sample email of QuirkyLoader

b2fdf10bd28c781ca354475be6
db40b8834f33d395f7b5850be
43ccace722c13

File

Sample email of QuirkyLoader

bf3093f7453e4d0290511ea6a0
36cd3a66f456cd4a85b7ec8fbf
ea6b9c548504

File

Email attachment containing QuirkyLoader

97aee6ca1bc79064d21e1eb7b8
6e497adb7ece6376f355e47b2
ac60f366e843d

File

Email attachment containing QuirkyLoader

b42bc8b2aeec39f25babdcbbd
aab806c339e4397debfde2ff1b
69dca5081eb44

File

Email attachment containing QuirkyLoader

5aaf02e4348dc6e962ec54d5d
31095f055bd7fb1e5831768200
3552fd6fe25dc

File

Email attachment containing QuirkyLoader

8e0770383c03ce6921079879
9d543b10de088bac147dce47
03f13f79620b68b1

File

Email attachment containing QuirkyLoader

049ef50ec0fac1b99857a6d2b
eb8134be67ae67ae134f9a3c5
3699cdaa7c89ac

File

Email attachment containing QuirkyLoader

cba8bb455d577314959602eb
15edcaa34d0b164e2ef9d89b0
8733ed64381c6e0

File

Email attachment containing QuirkyLoader

catherinereynolds[.]info

Domain

Domain used for malspam campaign

mail[.]catherinereynolds[.]info

Domain

Domain used for malspam campaign

157[.]66[.]22[.]11

IPv4

IP address that catherinereynolds[.]info resolves to

103[.]75[.]77[.]90

IPv4

IP address related to QuirkyLoader

161[.]248[.]178[.]212

IPv4

IP address related to QuirkyLoader

 

Subscribe to the Blog

Receive news and RH‑ISAC updates for cybersecurity practitioners from retail, hospitality, and other customer-facing companies, straight to your inbox.

Subscribe Now

More Recent Blog Posts

View All Blogs