Fast Facts
- The campaign leverages publicly available exploits and custom dropper executables masquerading as legitimate software to deliver SharkLoader, which deploys Cobalt Strike for post-compromise control.
- SharkLoader uses sophisticated DLL hijacking techniques and API hooking to load Cobalt Strike stealthily into infected hosts while bypassing Windows security defenses.
- The attackers conduct extensive reconnaissance and potentially broader espionage activities, targeting government and software firms, with possible future data exfiltration.
Threat, Attack Techniques, and Targets
The recent campaign involves malware called SharkLoader, which acts as a loader for deploying Cobalt Strike Beacon on infected devices. Kaspersky tracks this activity under the name StrikeShark. The campaign has targeted a wide range of organizations. These include a diplomatic agency in Indonesia, government agencies in Taiwan, and software companies in multiple countries. Other targets are located in Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, and Serbia. The campaign does not focus on a specific industry or region. It uses various methods to gain access. For example, it exploits known vulnerabilities like CVE-2021-26855 in Exchange Server. It also exploits bugs in Openfire (CVE-2023-32315) and GeoServer (CVE-2024-36401). The attackers use open-source tools like FScan and Pillager after they gain access. They often use publicly available proof-of-concept exploits from platforms like GitHub. Once inside, they deploy web shells that trigger DLL side-loading. This method involves loading malicious DLL files like “SystemSettings.dll” to execute SharkLoader. Other methods include delivering custom dropper executables disguised as legitimate installers, such as Google Update and Cisco AnyConnect. Some droppers also use decoy PDF files to trick victims into opening them. After the malware is loaded, SharkLoader uses a technique called Perfect DLL Hijacking. This lets it run malicious code while bypassing Windows’ system protections. It decrypts and loads components that help deploy Cobalt Strike, including “DscCoreR.mui” and other DLLs to facilitate code execution and memory manipulation.
Impact, Security Implications, and Remediation Guidance
The campaign’s impact can be serious. It can allow attackers to perform extensive reconnaissance, including domain and credential harvesting. They target important systems like Active Directory and the local machine system files. While there is no current evidence of data exfiltration, the use of tools like Cobalt Strike suggests attackers could later steal sensitive data or maintain long-term access. The attack techniques, such as exploiting known vulnerabilities and evading detection through DLL hijacking, pose significant security risks. It is important to apply security patches for all vulnerable systems. Organizations should also monitor for unusual activity like Web shell files or unexpected process behavior. Additionally, checking Registry Run keys and scheduled tasks can help identify persistent threats. For further remediation steps, it is advised to consult the relevant vendor or authority for specific guidance. It is recommended to review your security measures regularly and update software to prevent similar attacks.
Stay Ahead with the Latest Tech Trends
Dive deeper into the world of Cryptocurrency and its impact on global finance.
Discover archived knowledge and digital history on the Internet Archive.
ThreatIntel-V1
