A newly identified cyberattack operation is deploying a novel malware called SharkLoader to deliver Cobalt Strike Beacon on compromised systems. This malware campaign, tracked by Kaspersky under the alias StrikeShark, targets entities across diverse sectors and geographical locations, including diplomatic and governmental organizations.
Global Reach and Target Diversity
Kaspersky’s research indicates that the StrikeShark campaign is not limited to a specific industry or region. The campaign has affected diplomatic institutions in Indonesia, government bodies in Taiwan, and software firms in various countries. Additionally, organizations in Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, and Serbia have also been targeted.
The campaign’s operators remain unidentified, but the use of tools like FScan and Pillager, often linked to Chinese-speaking developers, suggests a potential Chinese-speaking threat actor. The attack strategy employs multiple known vulnerabilities to gain initial access.
Exploitation Tactics and Malware Delivery
The attack chains exploit known vulnerabilities in Exchange Server (CVE-2021-26855), Openfire (CVE-2023-32315), and GeoServer (CVE-2024-36401) to penetrate systems. The attackers likely use publicly available exploits to achieve this. Once access is gained, they deploy web shells to establish persistence and execute a DLL side-loading chain involving “SystemSettings.exe” for SharkLoader deployment.
The StrikeShark campaign also uses custom dropper executables disguised as legitimate software like Google Update and Cisco AnyConnect. The exact method of dropper delivery remains unclear, but some employ decoy PDFs to entice users into executing the malicious files.
Technical Sophistication and Potential Goals
SharkLoader employs Perfect DLL Hijacking to load and execute malicious code, bypassing system protections like Windows Loader Lock. This involves decrypting and loading components like “DscCoreR.mui” and using Microsoft Detours library to monitor Windows API hooks. The malware also uses MinHook DLL for API hook installation, facilitating Cobalt Strike deployment.
Despite lacking built-in persistence capabilities, the malware can leverage Registry Run keys and scheduled tasks to initiate “SystemSettings.exe”. Extensive reconnaissance follows initial compromise, including Active Directory enumeration and credential theft, hinting at possible cyber espionage motives.
The absence of confirmed data exfiltration raises questions about the ultimate objectives of the StrikeShark campaign. However, the focus on government and software development sectors indicates a potential interest in political intelligence or intellectual property.
Conclusion
The StrikeShark campaign exemplifies sophisticated malware deployment across a broad range of targets, utilizing known vulnerabilities and advanced techniques. The use of SharkLoader and Cobalt Strike suggests a calculated strategy, possibly opportunistic, exploiting vulnerable systems for future operations. Ongoing vigilance and updated security measures are essential to counter such evolving cyber threats.
