Mystery hackers use novel SharkLoader dropper against governments, software devs

Kaspersky researchers have uncovered a previously unknown cyberattack campaign that has compromised government organizations and software development companies in multiple countries.

They first stumbled onto the campaign while investigating an attack on a diplomatic organization in Indonesia. What initially looked like an isolated incident revealed a global operation they’ve dubbed StrikeShark, due to the attackers’ use of a previously unknown dropper the researchers named SharkLoader.

How the attackers get in

The attackers gain access either by exploiting known vulnerabilities in internet-facing applications, or by tricking users into running malware-laced files disguised as legitimate software.

The list of exploited vulnerabilities is wide-ranging, spanning flaws in products from Microsoft (SharePoint, Exchange Server), Fortinet (FortiOS), Cisco (IOS XE), F5 (BIG-IP), Zimbra, Apache (Shiro), and Hikvision. Some of these date back as far as 2016.

All the vulnerabilities identified have publicly available (proof-of-concept) exploit code, suggesting the attackers rely on existing offensive resources rather than developing their own.

Though Kaspersky researchers were unable to pinpoint how the attackers distributed the SharkLoader dropper directly to employees at those organizations, they known the attackers have been disguising it as a Cisco AnyConnect VPN installer and a Google Update utility.

Some droppers displayed convincing decoy PDF documents, including one appearing to be a technical document about liquid rocket engine design, and another one related to a biological treatment process.

What happens once the attackers are inside

Once SharkLoader is running, it installs a Cobalt Strike beacon, a commercial penetration-testing tool that’s used for maintaining remote access and moving through networks.

The threat actor conducted extensive reconnaissance and credential theft, including dumping credentials from Windows memory and from Active Directory. Armed with those credentials, the attackers could potentially move freely through a victim’s entire network.

The malware itself is designed to stay hidden: it disguises its components as ordinary Windows system files, abuses a legitimate Windows application to load itself, and goes to great lengths to disable the security logging that defenders rely on to detect intrusions.

Who’s behind these attacks?

The campaign has hit government organizations in Taiwan, software development companies across multiple countries, and various entities in Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, Serbia, and elsewhere.

Post-exploitation tools used in the campaign were developed by Chinese-speaking developers on GitHub, but that’s not a strong indicator that the attackers are also Chinese-speaking.

“Targeting of government and software development organizations may indicate a cyber-espionage objective, although our confidence remains low due to the limited post-compromise activity observed, which primarily consisted of credential access, system reconnaissance, and lateral movement,” Kaspersky researchers noted.

“At the same time, the use of SharkLoader and Cobalt Strike, alongside the exploitation of public-facing applications and malicious installers and droppers, suggests the attacker may also be opportunistically targeting vulnerable systems. The absence of clear evidence of data exfiltration thus far does not exclude this possibility, as Cobalt Strike’s file operation and data exfiltration modules could be employed at a later stage.”

The researchers weren’t able to establich direct links to any known hacking group.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!