Official forum for Utopia Community
You are not logged in.
Threat operation clusters affiliated with Chinese and Russian cybercrime ecosystems have been discovered using new malware aimed to load Cobalt Strike onto infected machines.
Dubbed SILKLOADER by Finnish cybersecurity firm WithSecure, the malware uses DLL sideloading methods to deliver commercial adversary simulation software.
The development comes as improved detection capabilities against Cobalt Strike, a legitimate post-exploit tool used for Red Team operations, is forcing threat actors to look for alternative options or invent new ways to deploy the framework to evade detection.
“The most common of these involves adding complexity to automatically generated beacon or stager payloads through the use of packers, crypters, loaders, or similar techniques,” said WithSecure researchers.
SILLKLOADER joins other loaders such as the KoboldLoader, MagnetLoader and LithiumLoader which was recently found to contain Cobalt Strike components. It also shares overlaps with LithiumLoader as both use DLL side-loading method to hijack a legitimate application in order to run a separate, malicious Dynamic Link Library (DLL).
SILLKLOADER achieves this through specially crafted libvlc.dll files that are placed alongside a legitimate but renamed VLC media player binary file (Charmap.exe).
WithSecure said it identified the shellcode loader after analyzing "several human-operated intrusions" targeting various entities across a range of organizations in Brazil, France and Taiwan in Q4 2022.
While these attacks were unsuccessful, the activity is suspected to be a prelude to ransomware distributions, with tactics and tools that "heavily overlap" with those attributed to the operators of the Play ransomware.
In an attack against an unnamed French welfare organization, the threat gained a foothold on the network by using a compromised Fortinet SSL VPN appliance to host Cobalt Strike beacons. “The threat actor has had a foothold in this organization for several months,” WithSecure said. “During this time, they conducted discovery and credential theft activities, followed by the deployment of more Cobalt Strike beacons.”
But when that attempt failed, the adversary switched to using SILLKLOADER to evade detection and deliver the beacon payload.
SILKLOADER malware
It's not all. Another loader known as BAILLOADER, which is also used to distribute Cobalt Strike beacons, has been linked in recent months to attacks involving Quantum ransomware, GootLoader and the IcedID trojan.
BAILLOADER, for its part, is said to bear similarities to a crypter codenamed Tron which has been used by several adversaries to distribute Emotet, TrickBot, BazarLoader, IcedID, Conti ransomware and Cobalt Strike. This has led to the ability for different threat actors to share Cobalt Strike beacons, encryptors, and infrastructure provided by third parties to serve multiple intruders with different tactics.
In other words, SILKLOADER will likely be offered as a standard loader through a Packer-as-a-Service program for Russian-based threat actors.
"This loader will be provided either directly to ransomware groups or potentially through groups offering Cobalt Strike/Infrastructure-as-a-Service to trusted partners," WithSecure said.
"Most of these affiliates appear to have been part of or have had close working relationships with the Conti group, its members, and offspring after its alleged shutdown."
SILKLOADER samples analyzed by the company show that early versions of the malware date back to the start of 2022, with the loader exclusively put to use in different attacks targeting victims in China and Hong Kong.
The shift from East Asian targets to other countries such as Brazil and France is believed to have occurred around July 2022, after which all SILKLOADER-related incidents have been attributed to Russian cybercriminal actors.
This has further given way to a hypothesis that "SILKLOADER was originally written by threat actors acting within the Chinese cybercriminal ecosystem" and that the "loader was used by the threat actors within this nexus at least as early as May 2022 till July 2022."
"The builder or source code was later acquired by a threat actor within the Russian cybercriminal ecosystem between July 2022 and September 2022," WithSecure said, adding, "the original Chinese author sold the loader to a Russian threat actor once they no longer had any use for it."
Both SILKLOADER and BAILLOADER are just the latest examples of threat actors refining and retooling their approaches to stay ahead of the detection curve.
"As the cybercriminal ecosystem becomes more and more modularized via service offerings, it is no longer possible to attribute attacks to threat groups simply by
linking them to specific components within their attacks," WithSecure researchers concluded.
Offline
Thank you for the article, it's really interesting and informative. do you plan to do more posts?
Offline
Thank you for the article, it's really interesting and informative. do you plan to do more posts?
From what I see we have two users on this forum who constantly post news and update about cyber security, vulnerability, threat, and hacker attacks which make us have awareness of what is happening in technology.
Offline
<div class="quotebox"><cite>Cat;5799 wrote:</cite><blockquote><div><p>Thank you for the article, it's really interesting and informative. do you plan to do more posts?</p></div></blockquote></div><p>From what I see we have two users on this forum who constantly post news and update about cyber security, vulnerability, threat, and hacker attacks which make us have awareness of what is happening in technology.</p>
Is it free to post here or do you need permission or something ?
Offline
Chinese and Russia are known to be a good friend and if we see hackers from the two countries that work together. However, the idea to make use of privacy and the good privacy ecosystem is the UtopiaP2P.
Offline
oba;5800 wrote:<div class="quotebox"><cite>Cat;5799 wrote:</cite><blockquote><div><p>Thank you for the article, it's really interesting and informative. do you plan to do more posts?</p></div></blockquote></div><p>From what I see we have two users on this forum who constantly post news and update about cyber security, vulnerability, threat, and hacker attacks which make us have awareness of what is happening in technology.</p>
Is it free to post here or do you need permission or something ?
Do you know that the number one benefit of a decentralized and privacy ecosystem is free of speech and liberation?
Therefore, there's no permission need to post a topic on this forum and everything is free.
Offline
Cat;5801 wrote:oba;5800 wrote:<div class="quotebox"><cite>Cat;5799 wrote:</cite><blockquote><div><p>Thank you for the article, it's really interesting and informative. do you plan to do more posts?</p></div></blockquote></div><p>From what I see we have two users on this forum who constantly post news and update about cyber security, vulnerability, threat, and hacker attacks which make us have awareness of what is happening in technology.</p>
Is it free to post here or do you need permission or something ?
Do you know that the number one benefit of a decentralized and privacy ecosystem is free of speech and liberation?
Therefore, there's no permission need to post a topic on this forum and everything is free.
Well the number benefits of a decentralized ecosystem is the anonymous quality if you ask me, that comes first. Decentralization offers anonymity the rest are secondary.
Offline
IyaJJJ;6146 wrote:Cat;5801 wrote:Is it free to post here or do you need permission or something ?
Do you know that the number one benefit of a decentralized and privacy ecosystem is free of speech and liberation?
Therefore, there's no permission need to post a topic on this forum and everything is free.Well the number benefits of a decentralized ecosystem is the anonymous quality if you ask me, that comes first. Decentralization offers anonymity the rest are secondary.
I think you're missing an interesting thing about cryptocurrency. Decentralization does not offer anonymity by any mean, it only offers liberation from the government and real anonymity are provided through advanced privacy tools
Offline
I think you're missing an interesting thing about cryptocurrency. Decentralization does not offer anonymity by any mean, it only offers liberation from the government and real anonymity are provided through advanced privacy tools
Let's hope that decentralisation will continue to help. I am sure that in a year or two, the government will reach for cryptocurrencies.
Offline