Chinese and Russian Hackers Using SILKLOADER Malware to Evade Detection

A threat activity cluster associated with the Chinese and Russian cybercrime ecosystems has been observed using a new malware designed to load Cobalt Strike onto infected machines.

dubbing silk loader This malware from Finnish cybersecurity company WithSecure utilizes DLL sideloading techniques to deliver commercial adversary simulation software.

This development improves detection capabilities for Cobalt Strike, a legitimate post-exploit tool used in red team operations, allowing attackers to either look for another option or propagate the framework to evade detection. Because we are forced to create new methods.

“The most common of these is the utilization of packers, crypters, loaders, or similar techniques to add complexity to auto-generated beacon or stager payloads,” said WithSecure researchers. I’m here.

SILKLOADER joins other loaders such as KoboldLoader, MagnetLoader and LithiumLoader recently discovered to incorporate Cobalt Strike components.

They also overlap with LithiumLoader in that both employ a DLL sideloading scheme to hijack legitimate applications and execute separate malicious dynamic link libraries (DLLs).

SILKLOADER accomplishes this via a specially crafted libvlc.dll file that is dropped along with the legitimate but renamed VLC media player binary (Charmap.exe).

WithSecure says it identified the shellcode loader after analyzing “multiple human intrusions” targeting different entities across different organizations in Brazil, France and Taiwan in Q4 2022. .

Although these attacks were unsuccessful, the campaign could lead to ransomware deployment, and the tactics and tools “hugely overlap” with those of the Play ransomware operators.

In one attack targeting an unnamed French social welfare organization, the attackers exploited a compromised Fortinet SSL VPN appliance to stage a Cobalt Strike beacon to gain a foothold in the network.

“Threat actors have been maintaining a foothold in this organization for several months,” said WithSecure. “During this time, they conducted discovery and credential theft operations, followed by the deployment of multiple Cobalt Strike beacons.”

However, when this attempt failed, the attackers switched to using SILKLOADER to bypass detection and deliver the beacon payload.

That’s not all. Another loader called BAILLOADER, which is also used to distribute Cobalt Strike beacons, has been linked in recent months to attacks involving the Quantum ransomware, GootLoader, and the IcedID Trojan.

BAILLOADER is said to show similarities to the crypter codenamed Tron, which has been used by various adversaries to distribute Emotet, TrickBot, BazarLoader, IcedID, Conti ransomware, and Cobalt Strike. .

This opens up the possibility for different attackers to share infrastructure provided by Cobalt Strike beacons, crypters, and third-party affiliates to service multiple intrusions using different tactics.

This means that SILKLOADER may be offered as an off-the-shelf loader to Russia-based actors through the Packer-as-a-Service program.

“This loader could be provided directly to ransomware groups or via groups that provide Cobalt Strike/Infrastructure-as-a-Service to trusted affiliates,” WithSecure said. increase.

“Most of these affiliates appear to have been part of or had close ties with the Conti Group, its members and descendants after their closure.”

The SILKLOADER samples analyzed by the company show an early version of the malware dating back to early 2022, and the loader was only used in various attacks targeting victims in China and Hong Kong. .

The shift from East Asian targets to other countries such as Brazil and France is believed to have occurred around July 2022, after which all SILKLOADER-related incidents have been attributed to Russian cybercriminals. increase.

This was further superseded by the hypothesis that “SILKLOADER was originally created by a threat actor operating within the Chinese cybercrime ecosystem,” and that “the loader will remain active from at least May 2022 to July 2022. It was used by threat actors within this chain”.

“The builder or source code was subsequently acquired by threat actors within the Russian cybercrime ecosystem between July 2022 and September 2022. Use it.”

Both SILKLOADER and BAILLOADER are just the latest examples of threat actors refining and restructuring their approach to stay ahead of the detection curve.

“As the cybercriminal ecosystem becomes increasingly modular through service offerings, it is no longer possible to simply attribute attacks to threat groups.

We link them to specific components within the attack,” concluded the WithSecure researchers.