New SharkLoader Malware Strengthens StrikeShark Cyberattacks Targeting Global Organizations
A recently identified cyber attack campaign has introduced a novel malware family named SharkLoader, which functions as a loader to deploy Cobalt Strike Beacon on compromised systems. This campaign, tracked by Kaspersky under the name StrikeShark, has targeted a variety of organizations, including a diplomatic entity in Indonesia, government institutions in Taiwan, and software development firms across multiple countries, as well as entities in Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, and Serbia.
Broad Geographic Reach and Diverse Targeting
Kaspersky’s analysis indicates that the campaign exhibits a wide geographic reach and a diverse set of targets, rather than focusing on a specific industry or region. The organization noted, “The observed victimology suggests a campaign with broad geographic reach and a diverse target set rather than a narrow focus on a specific industry or region.”
While there are no direct links to known threat actors or groups, the operators have employed several open-source post-compromise tools, including FScan and Pillager, which are commonly utilized by Chinese-speaking developers. This has led to speculation that the campaign may be orchestrated by a Chinese-speaking threat actor.
Exploitation of Vulnerabilities
The attack chains utilized by StrikeShark involve two primary access pathways. One method exploits known vulnerabilities in Exchange Server, such as CVE-2021-26855 (commonly referred to as ProxyLogon), to target the Indonesian diplomatic organization. The second pathway involves a path traversal vulnerability affecting Openfire (CVE-2023-32315) to compromise Taiwanese software development firms, or a critical remote code execution vulnerability in GeoServer (CVE-2024-36401) aimed at Colombian organizations.
Kaspersky has identified several other remote code execution and authentication bypass vulnerabilities that the threat actor has weaponized.
Initial Access and Persistence
It is assessed that the threat actors are likely using publicly available proof-of-concept (PoC) exploits hosted on platforms like GitHub to gain initial access opportunistically. Once a foothold is established, they deploy web shells to trigger a DLL side-loading chain involving SystemSettings.exe (CVE-2021-27076) to deliver SharkLoader, which is disguised as SystemSettings.dll.
A second method of distribution involves custom dropper executables masquerading as legitimate software installers, such as Google Update and Cisco AnyConnect. These droppers execute the malware loader once the installation process is completed. The specific delivery methods for these droppers remain unclear.
Kaspersky explained, “In addition to installer-themed lures, several SharkLoader droppers use decoy PDF documents to persuade victims to open the malicious file. However, not all samples employ this technique, as some droppers function solely as a delivery mechanism for SharkLoader without presenting any lure content.”
Advanced Techniques for Execution
Once the DLL is loaded, SharkLoader employs a technique known as Perfect DLL Hijacking, which allows it to execute malicious code while bypassing the Windows Loader Lock—a system-wide lock held by the operating system during DLL loading and unloading. This technique was detailed by security researcher Elliot Killick in October 2023.
SharkLoader is specifically designed to decrypt and load DscCoreR.mui, which is subsequently used to decompress and load Cobalt Strike in a new thread created in a suspended state. This process involves two additional components:
- SyncRes.dat, which installs multiple Windows API hooks using the Microsoft Detours library to monitor exceptions generated during runtime.
- MinHook DLL, which installs API hooks for the VirtualAlloc and Sleep functions, enabling the copying of the decompressed Cobalt Strike Beacon into the allocated memory region. The Sleep-related hook is activated when the Beacon calls Sleep, likely to evade memory scanning techniques that identify executable (RWX) code regions.
Kaspersky elaborated, “Finally, after the API hooks are installed and the Cobalt Strike Beacon shellcode has been written to the thread buffer, the malware calls the ResumeThread API to resume the suspended thread and begin execution of the beacon.”
Persistence Mechanisms and Reconnaissance
Although SharkLoader does not inherently include persistence mechanisms, the threat actor has been observed leveraging Registry Run keys and scheduled tasks to activate the launch of SystemSettings.exe either upon user login or even when no user is logged in.
The attacks also encompass an extensive reconnaissance phase following initial compromise and persistence. This includes Active Directory enumeration, credential theft targeting the LSASS process and the NTDS database file, and deploying open-source scanners and information-gathering tools like FScan, Searchall, and Pillager.
Despite the absence of active data exfiltration, the objectives of StrikeShark remain ambiguous. However, the targeting of government and software development organizations suggests a potential focus on cyber espionage, with interests in political intelligence or intellectual property.
Kaspersky noted, “The use of SharkLoader and Cobalt Strike, alongside the exploitation of public-facing applications and malicious installers and droppers, suggests the attacker may also be opportunistically targeting vulnerable systems. The absence of clear evidence of data exfiltration thus far does not exclude this possibility, as Cobalt Strike’s file operation and data exfiltration modules could be employed at a later stage.”
For further details, visit the original reporting source: thehackernews.com.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
