SharkLoader

Attack chains involve the two initial access pathways: the exploitation of known Exchange Server flaws, such as CVE-2021-26855 (aka ProxyLogon)... or through a path traversal vulnerability impacting Openfire (CVE-2023-32315)... or a critical remote code execution bug in GeoServer (CVE-2024-36401)... Other remote code execution and authentication bypass vulnerabilities weaponized by the threat actor are listed below...

In addition to installer-themed lures, several SharkLoader droppers use decoy PDF documents to persuade victims to open the malicious file.

While SharkLoader does not come with persistence mechanisms built into it, the threat actor has been found to leverage Registry Run keys and scheduled tasks as a way to activate the launch of "SystemSettings.exe"...

The attackers gain access either by exploiting known vulnerabilities in internet-facing applications, or by tricking users into running malware-laced files disguised as legitimate software.

Once the DLL is loaded, SharkLoader implements what's called Perfect DLL Hijacking... to execute malicious code while bypassing Windows Loader Lock.

While SharkLoader does not come with persistence mechanisms built into it, the threat actor has been found to leverage Registry Run keys and scheduled tasks as a way to activate the launch of "SystemSettings.exe"...

Registry Run key : In the incident that affected an organization in Hong Kong, the attacker manually created a registry Run key to launch SystemSettings.exe upon user logon. The following command was used: reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "MFUpdate"

Upon gaining a foothold, the threat actors establish persistence by deploying web shells to trigger a DLL side-loading chain involving "SystemSettings.exe"... to deliver SharkLoader ("SystemSettings.dll").

While SharkLoader does not come with persistence mechanisms built into it, the threat actor has been found to leverage Registry Run keys and scheduled tasks as a way to activate the launch of "SystemSettings.exe" either when a user logs in...

While SharkLoader does not come with persistence mechanisms built into it, the threat actor has been found to leverage Registry Run keys and scheduled tasks as a way to activate the launch of "SystemSettings.exe"...

Specifically, it's engineered to decrypt and load "DscCoreR.mui," which is then used to decompress and load Cobalt Strike in a new thread created in a suspended state... Finally... the malware calls the ResumeThread API to resume the suspended thread and begin execution of the beacon.

Researchers observed parent process ID spoofing as well, making malicious child processes appear as if they were launched by the legitimate svchost.exe process.

While SharkLoader does not come with persistence mechanisms built into it, the threat actor has been found to leverage Registry Run keys and scheduled tasks as a way to activate the launch of "SystemSettings.exe" either when a user logs in...

A second method used by StrikeShark to distribute the loader is via custom dropper executables masquerading as legitimate software installers or applications like Google Update and Cisco AnyConnect...

The malware itself is designed to stay hidden: it disguises its components as ordinary Windows system files

Specifically, it's engineered to decrypt and load "DscCoreR.mui," which is then used to decompress and load Cobalt Strike in a new thread created in a suspended state... Finally... the malware calls the ResumeThread API to resume the suspended thread and begin execution of the beacon.

goes to great lengths to disable the security logging that defenders rely on to detect intrusions

The second fired every second immediately after deployment, then was removed after about 1.5 seconds

Researchers observed parent process ID spoofing as well, making malicious child processes appear as if they were launched by the legitimate svchost.exe process.

One of those modules, DscCoreR.mui, is decrypted using a Blowfish cipher and contains the Cobalt Strike Beacon shellcode. Another module, SyncRes.dat, uses AES-128 encryption

One of the earliest observed actions involved copying the legitimate Windows application SystemSettings.exe to a new location before executing it... This application was later abused as part of a DLL sideloading chain used to launch SharkLoader.

The second hook, on the Sleep API, is used when Cobalt Strike Beacon calls Sleep... It temporarily modifies the memory protection of the tracked allocation regions... before invoking the original Sleep function. After the sleep period ends, the malware restores the memory protection... This behavior suggests that the malware developer implemented this mechanism to evade memory scanning techniques

Once the DLL is loaded, SharkLoader implements what's called Perfect DLL Hijacking... to execute malicious code while bypassing Windows Loader Lock.

the loader decrypts and executes additional encrypted modules entirely in memory, never writing the final payload to disk.

Registry Run key : In the incident that affected an organization in Hong Kong, the attacker manually created a registry Run key to launch SystemSettings.exe upon user logon. The following command was used: reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "MFUpdate"

The second hook, on the Sleep API, is used when Cobalt Strike Beacon calls Sleep... It temporarily modifies the memory protection of the tracked allocation regions... before invoking the original Sleep function. After the sleep period ends, the malware restores the memory protection... This behavior suggests that the malware developer implemented this mechanism to evade memory scanning techniques

Once SharkLoader is running, it installs a Cobalt Strike beacon

The campaign also hooks Windows event logging functions such as EtwEventWrite and EventWrite, forcing them to return empty values and blinding any monitoring tools that rely on system logs.