QuirkyLoader: A New Malware Loader Spreading Infostealers and Remote Access Trojans (RATs)

IBM X-Force has tracked QuirkyLoader, a sophisticated loader malware deployed by threat actors to distribute prominent families such as Agent Tesla, AsyncRAT, FormBook, MassLogger, Remcos, Rhadamanthys, and Snake Keylogger.

This multi-stage threat initiates through spam emails from legitimate providers or self-hosted servers, attaching malicious archives containing a legitimate executable, an encrypted payload masquerading as a DLL, and a malicious DLL loader.

Payload Delivery

Leveraging DLL side-loading, the legitimate executable inadvertently loads the malicious DLL, which then decrypts and injects the final payload via process hollowing into processes like AddInProcess32.exe, InstallUtil.exe, or aspnet_wp.exe.

This technique ensures stealthy execution, evading initial detection by mimicking benign operations.

The core DLL module of QuirkyLoader is authored in C# .NET and compiled using ahead-of-time (AOT) methods, producing native machine code that resembles C or C++ binaries, bypassing traditional .NET runtime analysis.

Technical Breakdown

The loader employs Win32 APIs ...