According to a report by Finnish cybersecurity firm WithSecure, Chinese and Russian cybercriminals have been using a new piece of malware called SILKLOADER to load Cobalt Strike onto infected machines. The malware employs DLL side-loading techniques to deliver commercial adversary simulation software. With the increased detection capabilities against Cobalt Strike, threat actors are seeking alternative options or developing new methods to propagate the framework to evade detection (source: The Hacker News).
SILKLOADER is similar to other loaders like KoboldLoader, MagnetLoader, and LithiumLoader, which incorporate Cobalt Strike components. It uses specially crafted libvlc.dll files to hijack a legitimate VLC media player binary, aiming to evade defense mechanisms. WithSecure’s researchers discovered the shellcode loader during their analysis of “several human-operated intrusions” targeting organizations in Brazil, France, and Taiwan in Q4 2022.
Another loader called BAILLOADER has also been linked to attacks involving Quantum ransomware, GootLoader, and the IcedID trojan in recent months. It is suspected that various threat actors are sharing Cobalt Strike beacons, crypters, and infrastructure provided by third-party affiliates to service multiple intrusions using different tactics.
WithSecure’s analysis of SILKLOADER samples indicates that the malware was initially created by Chinese cybercriminals and later acquired by a Russian threat actor. The increasing modularity of the cybercriminal ecosystem through service offerings makes it difficult to attribute attacks to specific threat groups based solely on the components used in their attacks.