New SharkLoader malware campaign deploys Cobalt Strike Beacon

As noted by The Hacker News, a newly discovered cyberattack campaign, dubbed StrikeShark by Kaspersky, is deploying a previously undocumented malware family called SharkLoader. This malware serves as a loader for Cobalt Strike Beacon on compromised hosts.

The StrikeShark campaign exhibits a broad geographic reach, targeting a diplomatic organization in Indonesia, government entities in Taiwan, software development companies globally, and other sectors in Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, and Serbia. While no direct links to known threat actors exist, the use of open-source tools like FScan and Pillager suggests a Chinese-speaking threat actor.

Initial access is gained through exploitation of vulnerabilities in Exchange Server (CVE-2021-26855), Openfire (CVE-2023-32315), and GeoServer (CVE-2024-36401), among others. SharkLoader is delivered via web shells or custom dropper executables disguised as legitimate software. It employs Perfect DLL Hijacking to bypass Windows Loader Lock, ultimately decrypting and loading Cobalt Strike Beacon.

Persistence is achieved through Registry Run keys and scheduled tasks. The campaign includes extensive reconnaissance, Active Directory enumeration, and credential theft. The ultimate goals remain unclear, but the targeting suggests potential cyber espionage for political intelligence or intellectual property, or opportunistic targeting of vulnerable systems.

Source: The Hacker News