Newly Discovered SharkLoader Malware Targets Diverse Global Organizations
TL;DR: Kaspersky has identified a new malware family known as SharkLoader, which serves as a loader for deploying Cobalt Strike Beacon across various geographical regions and sectors. The campaign utilizes multiple exploitation vectors targeting vulnerabilities in internet-facing applications, indicating both opportunistic and strategic motivations.
Main Analysis: Kaspersky’s investigation revealed SharkLoader’s emergence during attacks on a diplomatic organization in Indonesia. The malware functions primarily as a loader, enabling Cobalt Strike Beacon to operate on compromised systems. In addition to the diplomatic targets, the campaign has affected government entities in Taiwan, software development firms in various countries, and organizations in regions such as Hong Kong, Lebanon, Syria, Colombia, and North Macedonia. The broad victimology illustrates a diverse target scope instead of focusing on a specific industry.
SharkLoader employs multiple initial infection methods, prominently including the exploitation of vulnerabilities in internet-facing applications like Microsoft Exchange and Microsoft SharePoint. Notable vulnerabilities involved are CVE-2021-26855, CVE-2023-32315, and CVE-2024-36401 among others. The investigation suggests that attackers are likely using public exploit codes, indicating an opportunistic profile. After successful exploitation, SharkLoader establishes persistence via webshells and scheduled tasks configured to execute malicious variations of legitimate Windows applications.
The command and control architecture includes a structured deployment of components like SystemSettings.exe and its malicious counterpart SystemSettings.dll, enabling execution. Additionally, the malware’s infection mechanism includes DLL sideloading and use of custom droppers masquerading as genuine software installers.
Defensive Context: Organizations utilizing or maintaining internet-facing applications, particularly those represented in Kaspersky’s investigations, must remain vigilant against potential exploits targeting unpatched software vulnerabilities. Those in government or sensitive industries should particularly monitor network traffic for signs of Cobalt Strike activities.
Why This Matters: The potential for real-world impact is significant, particularly for entities handling sensitive governmental or developmental processes. The combination of targeted espionage and opportunistic behavior poses a real danger, as the same tactics can be adapted to fit multiple operational objectives across various sectors.
Defender Considerations: Defenders should focus on threat hunting activities aimed at detecting anomalous behavior related to the use of Cobalt Strike, especially within enterprise networks. Maintaining visibility into exploit attempts against mentioned CVEs will be crucial for defensive measures going forward.
Indicators of Compromise (IOCs):
- Malware Files:
SystemSettings.exe: D98F568496512E4F98670C61C97CB07ASystemSettings.dll: AA3086BE652C8B20B0B29B2730D57119DscCoreR.mui: A514D1BB62D7916475946FE7C07AC0AASyncRest.dat: 9CBD560F820C95D7C38342CD558CB5C6
- Domains:
connect-microsoft.comms-record.comms-record.topms-tray.top
The analysis of SharkLoader highlights a combination of opportunistic targeting, leveraging publicly known exploits, and the use of sophisticated evasion techniques associated with established malware frameworks like Cobalt Strike. Continuous monitoring for indicators of compromise is essential as the threat landscape evolves.
