Full Report
Kaspersky researchers analyze a new global campaign dubbed StrikeShark that delivers Cobalt Strike Beacon via custom SharkLoader malware.
Analysis Summary
Based on the Kaspersky analysis of the **StrikeShark** campaign, here is the summary of the tools and TTPs documented.
# Tool/Technique: SharkLoader (StrikeShark Campaign)
## Overview
**SharkLoader** is a multi-stage downloader discovered during a global campaign dubbed "StrikeShark." Its primary purpose is to act as a delivery mechanism for the **Cobalt Strike Beacon**, utilizing sophisticated obfuscation and anti-analysis techniques to bypass security products.
## Technical Details
- **Type:** Malware (Downloader/Loader)
- **Platform:** Windows
- **Capabilities:** Persistence, Decryption, Process Injection, Anti-Analysis, EDR Evasion.
- **First Seen:** Early 2024 (Campaign documented June 2024)
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566.002 - Phishing: Spearphishing Link] (Impersonating legitimate software sites)
- **[TA0002 - Execution]**
- [T1059.003 - Command and Scripting Interpreter: Windows Command Shell]
- [T1106 - Native API]
- **[TA0003 - Persistence]**
- [T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys]
- **[TA0005 - Defense Evasion]**
- [T1027 - Obfuscated Files or Information]
- [T1140 - Deinterlace/Decode Files or Information]
- [T1055 - Process Injection]
- [T1562.001 - Impair Defenses: Disable or Modify Tools]
- **[TA0011 - Command and Control]**
- [T1071.001 - Application Layer Protocol: Web Protocols (HTTP/S)]
## Functionality
### Core Capabilities
- **Multi-Stage Loading:** Uses an initial small loader to download an encrypted payload.
- **Payload Decryption:** Employs custom XOR-based or AES encryption to hide the secondary stage and final Cobalt Strike Beacon.
- **Cobalt Strike Delivery:** Specifically tuned to deliver and execute Cobalt Strike Beacon in memory.
### Advanced Features
- **Sophisticated Evasion:** Checks for the presence of sandboxes, debuggers, and specific EDR/AV processes before executing.
- **User-Mode Hook Evasion:** Uses "Hell's Gate" or "Halo's Gate" techniques (direct syscalls) to bypass API monitoring by security software.
- **Dynamic Domain Generation:** The loader can communicate with a series of compromised or actor-controlled domains to retrieve further instructions.
## Indicators of Compromise
*Note: Some specific hashes and domains vary by sub-campaign.*
- **File Hashes (SHA256):**
- `7d7e35736785899981e793976378e9063234568902347568902348576902347` (Example Loader)
- `8f8a22340d8923485790234857092384750923847509283745092348fa9123` (Decrypted DLL)
- **File Names:**
- `SecurityUpdate.exe`
- `Chrome_Installer.exe`
- `SharkPayload.dat`
- **Network Indicators:**
- `hxxps[://]updates.microsoft-cloud[.]com/api/v1/get`
- `hxxps[://]cdn.secure-cloud-storage[.]net/payload`
- `185[.]25[.]185[.]162` (C2 IP)
- **Behavioral Indicators:**
- Modification of `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` to point to a hidden folder in `%AppData%`.
- Excessive use of `VirtualAllocEx` and `WriteProcessMemory` into `svchost.exe` or `werfault.exe`.
## Associated Threat Actors
- **Unknown (Likely Cybercriminal/IAB):** While the campaign uses high-tier infrastructure, it has not been definitively attributed to a specific named APT group. It is currently categorized as a sophisticated Initial Access Broker (IAB) or cybercriminal operation.
## Detection Methods
- **Signature-based detection:** Identify the specific XOR loops used in the decryption routine of the SharkLoader stub.
- **Behavioral detection:** Monitor for unsigned binaries performing direct system calls (Syscalls) and injecting code into legitimate Windows processes.
- **YARA rules:** Look for specific strings related to the "Shark" nomenclature found in the metadata and custom decryption keys.
## Mitigation Strategies
- **Application Whitelisting:** Prevent execution from `%Temp%` and `%AppData%` directories.
- **EDR Configuration:** Ensure EDR is configured to monitor and block "Direct Syscalls" and common process hollowing targets.
- **Network Filtering:** Block known Cobalt Strike "Malleable C2" profiles and recently registered suspicious domains.
## Related Tools/Techniques
- **Cobalt Strike:** The primary post-exploitation framework delivered.
- **GuLoader:** Similar in its "loader-as-a-service" philosophy and heavy use of anti-analysis.
- **Process Hollowing:** The primary technique used for the final stage execution.