Some of the malware designed to load Cobalt Strike beacons onto the victim’s machine has been traced back to both Chinese and Russian actors.
In a new report, Finnish security vendor WithSecure claimed to have detected “SilkLoader” in several human-operated intrusions that are likely precursors to ransomware attacks.
This malware uses DLL sideloading to load beacons. Beacons are commonly used in such attacks as part of the command and control (C2) infrastructure to download additional payloads to the targeted machine.
However, the novelty of this case stems from the fact that WithSecure believes that Chinese threat actors actually sold or provided goods to their Russian peers.
Until summer 2022, the loader was used exclusively against targets in Hong Kong, China, and other regions, according to the company. However, that activity he stopped in July, and a few months later the malware reappeared in attacks against various targets in different countries, including Taiwan, Brazil, and France.
“SilkLoader is currently operating within the Russian cybercrime ecosystem through its Packer-as-a-Service program to ransomware groups, or possibly through groups that offer Cobalt Strike/Infrastructure-as-a-Service. We believe it is distributed as a trusted affiliate.
“Most of the affiliates appear to have been part of or had close ties to the Conti Group, its members and descendants following the alleged closure.”
The tool itself is just the latest example of attackers innovating to stay ahead of network defenders. In the case of Cobalt Strike, this tool is so well-known that defensive measures are usually able to detect and contain the threat.
“However, by adding a layer of complexity to the file content and launching it through known applications such as VLC Media Player via sideloading, attackers hope to circumvent these defense mechanisms. explains Nejad.
Read more about the Cobalt Strike threat: Government, Union-themed lures used to deliver Cobalt Strike payloads
The big picture is that cybercrime is becoming more and more global. Historical language and cultural barriers have largely hampered information sharing between the Chinese and Russian-speaking cybercrime economies, but that may be changing.
“In this case, the author is likely an independent coder who sold the tool on an underground forum,” claims the report. “Such components may be sold or transferred to other groups if circumstances favor such transactions.”
