StrikeShark: investigating a new campaign delivering Cobalt Strike through SharkLoader

MITRE Techniques

• [T1190 ] Exploit Public-Facing Application – Used to gain initial access by exploiting internet-facing systems such as Microsoft Exchange, Openfire, and GeoServer (‘the threat actor exploited Microsoft Exchange vulnerabilities’ / ‘exploitation of Openfire (CVE-2023-32315)’ / ‘exploited a GeoServer instance vulnerable to CVE-2024-36401’).
• [T1036 ] Masquerading – Droppers and files were disguised as legitimate software or vendor names to appear benign (‘masquerading as legitimate software installers or applications such as Google Update and Cisco AnyConnect’ / ‘used security product vendor names as the directory names’).
• [T1574.001 ] DLL Search Order Hijacking / DLL Side-Loading – SharkLoader was launched by abusing legitimate executables like SystemSettings.exe to load malicious DLLs (‘abused as part of a DLL sideloading chain’ / ‘hidden in the malicious SystemSettings.dll library’).
• [T1105 ] Ingress Tool Transfer – Malware components were uploaded and dropped onto victim systems through webshells and droppers (‘the malicious SystemSettings.dll library … was uploaded through the webshell’).
• [T1053.005 ] Scheduled Task – SharkLoader was launched and maintained via scheduled tasks (‘created two scheduled tasks’ / ‘configured to execute the copied SystemSettings.exe’).
• [T1547.001 ] Registry Run Keys / Startup Folder – Persistence was established using a Run key (‘manually created a registry Run key to launch SystemSettings.exe upon user logon’).
• [T1055 ] Process Injection – Cobalt Strike Beacon execution and related in-memory loading behavior involved running code in memory and manipulating process execution (‘reflectively loaded into memory and executed without being written to disk’ / ‘decompresses … Cobalt Strike Beacon shellcode’).
• [T1027 ] Obfuscated Files or Information – Encrypted, compressed, and packed components were used to hinder analysis (‘encrypted modules’ / ‘zlib-compressed data’ / ‘packed PE file with its MZ header removed’).
• [T1106 ] Native API – The malware used direct syscalls and Windows APIs to carry out loader, memory, and process operations (‘redirects the API call to a direct NtOpenProcessToken syscall stub’ / ‘uses … direct syscalls’).
• [T1134 ] Access Token Manipulation – Process creation and token-related APIs were hooked to support spoofing and execution control (‘OpenProcessToken’ / ‘AdjustTokenPrivileges’).
• [T1057 ] Process Discovery – The attackers enumerated running processes to find targets and confirm their own presence (‘tasklist /svc’ / ‘tasklist /SVC | findstr $selfname.exe’).
• [T1082 ] System Information Discovery – They collected host and network basics for reconnaissance (‘systeminfo’ / ‘ipconfig /all’).
• [T1016 ] System Network Configuration Discovery – Network configuration and connectivity details were gathered (‘ipconfig /all’ / ‘netstat -ano’ / ‘arp -a’).
• [T1018 ] Remote System Discovery – Network shares and reachable systems were enumerated (‘net share’ / ‘dir \c$’).
• [T1069.002 ] Permission Groups Discovery: Domain Groups – AD group membership was queried (‘net group “Domain Controllers” /domain’ / ‘net group “Enterprise Admins” /domain’).
• [T1003.001 ] OS Credential Dumping: LSASS Memory – Credentials were targeted by dumping LSASS memory (‘Procdump64.exe -accepteula -ma lsass.exe’).
• [T1003.003 ] OS Credential Dumping: NTDS – Active Directory credential material was targeted via the NTDS database (‘ntdsutil “ac i ntds” “ifm” “create full $temp”‘).
• [T1497 ] Virtualization/Sandbox Evasion – The malware manipulated memory protections and execution flow to reduce detection (‘restore read, write, and execute (RWX) permissions’ / ‘evade memory scanning techniques’).
• [T1055.012 ] Process Hollowing – The campaign used suspended threads and in-memory execution patterns to run payloads (‘creates a new thread in a suspended state’ / ‘the suspended thread is resumed’).