Colibri Loader is a malware family that delivers and manages payloads onto infected PCs. A new campaign delivers Mars Stealer as the final payload, using a novel persistence technique that combines a scheduled task with PowerShell and a remote template injection chain.
Keypoints
- Colibri Loader is a relatively new loader first seen in 2021, now coupled with Mars Stealer as the final payload in a targeted campaign.
- The attack chain starts with a malicious Word document that loads a remote template (trkal0.dot) from a remote server, via remote template injection.
- Macro code enables PowerShell to download setup.exe (the Colibri final payload) from a remote server.
- Colibri leverages a novel persistence technique by abusing PowerShell and drop locations; on Windows 10+ it hides a scheduled task and uses Get-Variable.exe to trigger the payload.
- On Windows 7, a scheduled task named COMSurrogate runs Colibri Loader; on Windows 10+, a hidden PowerShell task is created, showing version-specific persistence behavior.
- VirusTotal samples indicate the technique appeared around the same time Colibri surfaced, suggesting a link between the technique and the Colibri campaign.
MITRE Techniques
- [T1053.005] Scheduled Task/Job: Scheduled Task – schtasks.exe /create /tn COMSurrogate /st 00:00 /du 9999:59 /sc once /ri 1 /f /tr “powershell.exe -windowstyle hidden” – ‘schtasks.exe /create /tn COMSurrogate /st 00:00 /du 9999:59 /sc once /ri 1 /f /tr “powershell.exe -windowstyle hidden”’
- [T1564.003] Hide Artifacts: Hidden Window – powershell.exe -windowstyle hidden – ‘powershell.exe -windowstyle hidden’
- [T1059.001] Command and Scripting Interpreter: PowerShell – powershell.exe -windowstyle hidden – ‘powershell.exe -windowstyle hidden’
- [T1027] Obfuscated Files or Information – Get-Variable.exe – ‘Get-Variable is a valid PowerShell cmdlet(a cmdlet is a lightweight command used in the Windows PowerShell environment) which is used to retrieve the value of a variable in the current console.’
- [T1574.008] Hijack Execution Flow: Path Interception by Search Order Hijacking – Get-Variable.exe – ‘Get-Variable.exe’ is used as the dropped file name and system looks for the Get-Variable executable in the path, executing the malicious binary instead of the PowerShell cmdlet.
Indicators of Compromise
- [Hash] Context – 666268641a7db3b600a143fff00a063e77066ad72ac659ebc77bb5d1acd5633d, 54a790354dbe3ab90f7d8570d6fc7eb80c024af69d1db6d0f825c094293c5d77
- [Domain] Context – securetunnel.co (remote server used to load template and final payload)
- [Filename] Context – Get-Variable.exe, trkal0.dot (files used in persistence and remote template injection)