Cybersecurity researchers have identified a new malware loader, dubbed SharkLoader, which is being distributed through counterfeit software installers. This sophisticated tool is designed to deliver Cobalt Strike Beacon, a well-known post-exploitation framework, onto compromised systems. The campaign combines traditional social engineering tactics with advanced evasion techniques to infiltrate networks undetected.
The threat actors, referred to as StrikeShark, employ a dual-pronged approach to gain access to target systems. They exploit known vulnerabilities in software such as Microsoft Exchange, SharePoint, Fortinet appliances, and Cisco IOS XE. Simultaneously, they distribute malicious droppers disguised as legitimate tools like Cisco AnyConnect and Google Update. This strategy allows them to reach victims without developing new exploits, leveraging existing software flaws and user trust in familiar applications.
Analysts at PolySwarm have documented SharkLoader after examining samples associated with this ongoing intrusion campaign. Their research indicates that the malware is not merely a simple downloader but a carefully engineered loader designed to evade detection at every stage. It decrypts and executes its payload almost entirely in memory, leaving minimal traces for antivirus tools to detect.
Confirmed victims include government agencies, diplomatic missions, and software firms across countries such as Indonesia, Taiwan, Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, and Serbia. This wide distribution suggests that the operators are targeting a broad range of entities rather than focusing on a specific sector. However, the concentration of attacks on diplomatic and government networks raises concerns about potential intelligence-gathering objectives.
Exploitation of Trusted Software Installers
A notable aspect of this campaign is the use of trusted software installers to deliver malware. By packaging SharkLoader within installers branded to resemble Cisco AnyConnect or Google Update, the attackers exploit users’ trust in these familiar applications. When launched, these counterfeit installers surreptitiously deploy the loader while the victim believes they are updating legitimate software.
Once executed, SharkLoader employs DLL side-loading techniques, often by hijacking a legitimate Windows program named SystemSettings.exe to load a malicious file called SystemSettings.dll. Since the visible process is a genuine, signed Windows component, security tools that rely on file reputation alone may not flag any anomalies. Additionally, researchers have observed the malware utilizing Perfect DLL Hijacking, which manipulates internal Windows loader behavior to execute malicious threads while bypassing security mechanisms.
Advanced Evasion Techniques and Persistence
SharkLoader incorporates multiple evasion techniques to maintain stealth and persistence within compromised systems. The malware hooks various Windows API calls and redirects them to dynamically generated system calls, helping it evade detection by behavior-based security tools. It also interferes with Event Tracing for Windows logging and spoofs parent process IDs, blending its activities into normal system operations.
To establish persistence, the operators configure scheduled tasks that run every five minutes, create registry run keys, and set up additional scheduled tasks with SYSTEM-level privileges. Following initial access, they conduct reconnaissance, enumerate Active Directory environments, and deploy additional payloads to achieve their objectives.
The emergence of SharkLoader underscores the evolving tactics of cybercriminals who exploit both technical vulnerabilities and human trust. Organizations must remain vigilant, ensuring that software updates are obtained from official sources and that systems are regularly patched to mitigate known vulnerabilities. Implementing robust security measures, including behavior-based detection systems and user education programs, is crucial in defending against such sophisticated threats.