Key Takeaways
- A new malware loader, SharkLoader, is being used to deploy Cobalt Strike Beacon on compromised systems.
- The campaign, tracked as StrikeShark, has hit diplomatic, government, software‑development, and other entities across Asia, the Middle East, Latin America, and Europe.
- Initial access relies on publicly disclosed vulnerabilities in Exchange Server, Openfire, and GeoServer, likely using PoC exploits from GitHub.
- After gaining a foothold, attackers achieve persistence via web‑shell‑triggered DLL side‑loading (SystemSettings.exe → SystemSettings.dll) or via trojanized installer droppers masquerading as Google Update or Cisco AnyConnect.
- SharkLoader employs Perfect DLL Hijacking to evade Windows Loader Lock, decrypting and loading malicious components that ultimately launch Cobalt Strike Beacon.
- Post‑compromise activity includes Active Directory enumeration, credential theft (LSASS, NTDS), and the use of open‑source scanners such as FScan and Pillager.
- No clear data exfiltration has been observed yet, but the toolset suggests espionage motives and the potential for later data theft.
- The threat actors appear to be Chinese‑speaking, leveraging open‑source post‑exploitation tools, but no direct link to a known APT group has been established.
Overview of the StrikeShark Campaign
Kaspersky has identified a previously undocumented malware family called SharkLoader that functions as a loader for delivering Cobalt Strike Beacon. The activity is monitored under the name StrikeShark and has demonstrated a broad geographic footprint, targeting a diplomatic organization in Indonesia, multiple government bodies in Taiwan, software‑development firms worldwide, and entities in Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, and Serbia. The diverse victimology indicates an opportunistic, wide‑reaching operation rather than a narrowly focused espionage effort.
Initial Access Vectors
The attackers gain entry through two primary pathways. First, they exploit known vulnerabilities in Microsoft Exchange Server, notably CVE‑2021‑26855 (ProxyLogon), to compromise the Indonesian diplomatic target. Second, they leverage a path‑traversal flaw in Openfire (CVE‑2023‑32315) against Taiwanese software‑development organizations. A third vector involves a critical remote‑code‑execution bug in GeoServer (CVE‑2024‑36401) used to hit a Colombian entity. These exploits are believed to be sourced from publicly available proof‑of‑concept code hosted on platforms such as GitHub, allowing the threat actors to act opportunistically against unpatched systems.
Persistence via DLL Side‑Loading
After establishing a foothold, the threat actors create persistence by deploying web shells that trigger a DLL side‑loading chain. The malicious web shell invokes the legitimate Windows binary SystemSettings.exe, which, due to a known DLL‑search‑order issue (CVE‑2021‑27076), loads a malicious SystemSettings.dll—the SharkLoader payload. This technique ensures the loader runs each time the executable is invoked, providing a stealthy mechanism to maintain access even after reboots or user logoffs.
Alternative Distribution Through Trojanized Installers
In addition to the web‑shell route, StrikeShark distributes SharkLoader via custom dropper executables that masquerade as legitimate software installers or utilities, such as Google Update and Cisco AnyConnect. Once the user runs the seemingly benign installer, the dropper executes the SharkLoader malware. The exact delivery method for these droppers (e.g., phishing emails, malicious ads, compromised websites) remains unknown, but the use of familiar software names increases the likelihood of successful social engineering.
Decoy Documents as Lure Mechanisms
Some SharkLoader droppers employ decoy PDF documents to persuade victims to open the malicious file. These PDFs often appear as innocuous reports or invoices, leveraging curiosity to trigger execution. However, not all samples rely on this tactic; certain droppers function purely as delivery mechanisms without any visible lure, indicating flexibility in the attackers’ social‑engineering toolbox.
Perfect DLL Hijacking Evasion Technique
SharkLoader employs a sophisticated evasion method known as Perfect DLL Hijacking, described by security researcher Elliot Killick in October 2023. This technique abuses the Windows Loader Lock to execute malicious code while avoiding detection. The loader decrypts and loads a resource named DscCoreR.mui, which then decompresses and launches Cobalt Strike Beacon in a suspended thread. Additional components—SyncRes.dat (which installs API hooks via the Microsoft Detours library) and a MinHook DLL (hooking VirtualAlloc and Sleep)—are used to copy the Beacon’s shellcode into allocated memory and to evade memory scanners that look for executable (RWX) regions.
Execution Flow of Cobalt Strike Beacon
Once the API hooks are in place and the Cobalt Strike Beacon shellcode resides in the thread buffer, SharkLoader calls ResumeThread to resume the suspended thread, thereby initiating the Beacon’s execution. This staged approach—decryption, decompression, hooking, and thread resumption—allows the malware to blend with legitimate processes and reduces the likelihood of triggering heuristic or signature‑based defenses.
Post‑Compromise Reconnaissance and Credential Theft
After achieving persistence, the attackers conduct extensive reconnaissance. They enumerate Active Directory, harvest credentials by targeting the LSASS process and copying the NTDS.dit database file, and deploy open‑source scanners such as FScan, Searchall, and Pillager to map the internal network and identify valuable assets. These activities suggest a focus on intelligence gathering and lateral movement rather than immediate data exfiltration.
Potential Objectives and Future Threat Landscape
Although no active data exfiltration has been observed thus far, the targeting of governmental and software‑development entities points toward a cyber‑espionage motive, possibly aimed at acquiring political intelligence or proprietary intellectual property. The use of Cobalt Strike—a versatile post‑exploitation framework—means the operators could later employ its file‑operation and exfiltration modules to steal data. Kaspersky notes that the campaign’s reliance on publicly available exploits and tools indicates an opportunistic element: the attackers may simply be capitalizing on any vulnerable, internet‑facing system they encounter, with strategic goals evolving as the operation progresses.
Conclusion
The StrikeShark campaign exemplifies how threat actors combine n‑day vulnerabilities, legitimate‑looking lures, and advanced loader techniques like Perfect DLL Hijacking to deploy powerful tools such as Cobalt Strike. While current evidence leans toward espionage, the lack of observed exfiltration does not rule out future data theft. Organizations should prioritize patching the cited Exchange, Openfire, and GeoServer flaws, enforce strict application‑control policies to block unsigned or masqueraded installers, monitor for abnormal DLL side‑loading activity, and employ behavioral detection to spot the characteristic API‑hooking patterns used by SharkLoader. Implementing these defenses will reduce the likelihood of initial infection and limit the attackers’ ability to establish persistent footholds.