Cyax Loader

Cyax Loader malware uses a PowerShell script to disable various defense mechanisms that are built into the system. The script then downloads the next payload, which is comprised of a Windows Nullsoft Scriptable Install System (NSIS) that installs a local certificate and launches a secondary PowerShell script. This additional PowerShell script drops an embedded portable executable utilizing Microsoft InstallUtil to run the main loader in the memory rather than from the disk so that the malware is less likely to be detected by traditional antivirus solutions.

After passing virtual machine and analysis detection tests and establishing evasion and persistence, the Cyax malware proceeds to deliver follow-up payloads, including trojans such as Azorult, FormBook, NetWire, NjRAT, Pony and Imminent Monitor RAT.

Umbrella blocks domains that are tied to malicious files as well as IP addresses associated with Cyax Loader IOCs. Umbrella uses AV engines and Cisco Advanced Malware Protection (AMP) to block these malicious files before they are downloaded. AMP detects Cyax Loader malware as Trojan.IGENERIC and Umbrella proactively blocks the threat.

seedpeer.us, hecate.icu, premiumos.icu, aresi.xyz, atakara.bid, mavendts.win, namib.pw, 1347x.org, ajaxes.us, axom.xyz, bgtorrent.com, bitkatz.com, deysnc.com, dspex.us, dynaxe.us, dzbitorrent.com, fr33dom.org, indoitexis.com, indotexis.com, klimos.us, mixst.bid, mooveys.com, novalayer.us, peerloads.com, qgb.us, seedpeer.us, softshare.site, softwards.com, tezco.xyz, unknwn.info, vlnplayer.us, waztec.us, xtorrs.info, xtorrs.org, xvidsoft.com, xvidsoftware.com, zado.xyz, zdask.us, zvb.us, zvd.us, 80.241.222.137