New SharkLoader Malware Deploys Cobalt Strike in StrikeShark Cyberattacks
New SharkLoader Malware Deploys Cobalt Strike in StrikeShark Cyberattacks 🚨
A newly discovered cyber attack campaign has been observed delivering a previously undocumented malware family called SharkLoader that acts as a loader for deploying Cobalt Strike Beacon on compromised hosts. Kaspersky, which is tracking the activity under the moniker StrikeShark, reported that the campaign has targeted a diplomatic organization in Indonesia, government organizations in Taiwan, software development companies across multiple countries, and entities associated with other sectors located in Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, and Serbia.
The observed victimology suggests a campaign with broad geographic reach and a diverse target set rather than a narrow focus on a specific industry or region. The campaign does not exhibit direct links to any known threat actor or group, although the operators have utilized several open-source post-compromise tools like FScan and Pillager, commonly used by Chinese-speaking developers. It’s believed that the campaign is the handiwork of a Chinese-speaking threat actor.
Attack Vectors 🔍
Attack chains involve two initial access pathways: the exploitation of known Exchange Server flaws, such as CVE-2021-26855 (aka ProxyLogon), to strike the Indonesian diplomatic entity, or through a path traversal vulnerability impacting Openfire (CVE-2023-32315) in the case of Taiwanese software development organizations, or a critical remote code execution bug in GeoServer (CVE-2024-36401) to target a Colombian organization. It’s assessed that the threat actors are likely employing publicly available proof-of-concept (PoC) exploits hosted on GitHub or other open-source platforms to gain initial access in an opportunistic manner.
Upon gaining a foothold, the threat actors establish persistence by deploying web shells to trigger a DLL side-loading chain involving SystemSettings.exe to deliver SharkLoader (SystemSettings.dll). Additionally, a second method used by StrikeShark to distribute the loader is via custom dropper executables masquerading as legitimate software installers or applications like Google Update and Cisco AnyConnect, executing the malware loader once the installation process completes. Several SharkLoader droppers use decoy PDF documents to persuade victims to open the malicious file.
Execution and Persistence 🔒
Once the DLL is loaded, SharkLoader implements what’s called Perfect DLL Hijacking, a technique detailed by security researcher Elliot Killick in October 2023, to execute malicious code while bypassing Windows Loader Lock. Specifically, it’s engineered to decrypt and load DscCoreR.mui, which is then used to decompress and load Cobalt Strike in a new thread created in a suspended state, along with two other components. MinHook DLL installs API hooks for the VirtualAlloc and Sleep functions to copy the decompressed Cobalt Strike Beacon into the allocated memory region using VirtualAlloc.
The attacks also involve an extensive reconnaissance phase following initial compromise and persistence, with the threat actor engaging in Active Directory enumeration, credential theft by targeting the LSASS process and the NTDS database file, and deploying open-source scanners and information gathering tools like FScan, Searchall, and Pillager. Given the absence of active data exfiltration, it’s unclear what the end goals of StrikeShark are. However, the targeting of government and software development organizations suggests a cyber espionage bent with a potential interest in hoovering political intelligence or intellectual property.
For more details, check out the full article: Read full article