Finnish cybersecurity firm WithSecure has identified a new malware dubbed SILKLOADER that has been used by clusters of Chinese and Russian cybercriminals to infect machines with Cobalt Strike, a legitimate post-exploitation tool used for red team operations.
The malware utilises DLL side-loading techniques to deliver commercial adversary simulation software.
As improved detection capabilities against Cobalt Strike are forcing threat actors to seek alternative options or concoct new ways to propagate the framework, SILKLOADER joins other loaders such as KoboldLoader, MagnetLoader, and LithiumLoader that have been discovered recently.
SILKLOADER and LithiumLoader employ the DLL side-loading method to hijack a legitimate application with the goal of running a separate, malicious dynamic link library (DLL).
WithSecure identified the shellcode loader following an analysis of “several human-operated intrusions” targeting various entities spanning a wide range of organisations located in Brazil, France, and Taiwan in Q4 2022.
Although these attacks were unsuccessful, the activity is suspected to be a lead-up to ransomware deployments, with the tactics and tooling “heavily overlapping” with those attributed to the operators of the Play ransomware.
Another loader known as BAILLOADER, which is also used to distribute Cobalt Strike beacons, has been linked to attacks involving Quantum ransomware, GootLoader, and the IcedID trojan in recent months.
This has given rise to the possibility that disparate threat actors share Cobalt Strike beacons, crypters, and infrastructure provided by third-party affiliates to service multiple intrusions utilizing different tactics. SILKLOADER is likely being offered as an off-the-shelf loader through a Packer-as-a-Service program to Russian-based threat actors.
Samples analyzed by the company show that early versions of the malware date back to the start of 2022, with the loader exclusively put to use in different attacks targeting victims in China and Hong Kong.
As the cybercriminal ecosystem becomes more modularized via service offerings, it is no longer possible to attribute attacks to threat groups simply by linking them to specific components within their attacks, according to WithSecure researchers. SILKLOADER and BAILLOADER are the latest examples of threat actors refining and retooling their approaches to stay ahead of the detection curve.
The development comes as improved detection capabilities against Cobalt Strike are forcing threat actors to seek alternative options or concoct new ways to propagate the framework to evade detection.