Cybersecurity researchers have uncovered a sophisticated malware campaign that leverages counterfeit software installers to infiltrate systems across multiple countries. Attackers are disguising malicious payloads as legitimate applications, notably Cisco AnyConnect and Google Update, to deceive users into executing them. Upon activation, these installers deploy a custom loader known as SharkLoader, which subsequently installs the Cobalt Strike Beacon, granting attackers extensive remote access and control over compromised machines.
The campaign, identified as “StrikeShark,” has been observed targeting entities in Indonesia, Taiwan, Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, and Serbia. Victims include government agencies, diplomatic organizations, and software development firms, indicating a blend of strategic and opportunistic targeting by the threat actors.
Exploitation of Known Vulnerabilities
To gain initial access, the attackers exploit vulnerabilities in widely used enterprise software. These include known flaws in Microsoft Exchange, Microsoft SharePoint, Fortinet FortiOS, and Cisco IOS XE. The use of publicly available exploit code suggests that the campaign is largely opportunistic, taking advantage of unpatched systems to establish footholds within target networks.
Deceptive Delivery Methods
A notable aspect of this campaign is the use of fake software installers that closely mimic legitimate applications. In one instance, the dropper contained a genuine Cisco AnyConnect VPN installer. When executed, the authentic installer ran as expected, creating the illusion of normalcy. Simultaneously, SharkLoader components were silently written to hidden directories in the background. The dropper also utilized files named GoogleUpdateStepup.exe and AutoUpdate.exe to masquerade as routine update utilities. Additionally, some samples dropped decoy PDF documents to distract users while the malware installed itself discreetly.
To maintain persistence, the malware created two Windows scheduled tasks. The first task ran every five minutes to ensure the loader remained active over time. The second task executed every second immediately after deployment and was then removed after its initial run.
Attribution of this campaign remains preliminary. Researchers have noted that several post-exploitation tools observed, including FScan, Searchall, and Pillager, were developed by Chinese-speaking individuals. However, no confirmed link to any known hacking group has been established, and investigations into the campaign’s full scope are ongoing.
This campaign underscores the critical importance of vigilance when downloading and installing software, even from seemingly legitimate sources. Organizations must ensure that their systems are up-to-date with the latest security patches and that employees are trained to recognize and avoid phishing attempts and other deceptive tactics used by cybercriminals. Implementing robust endpoint protection and monitoring solutions can also help detect and mitigate such threats before they cause significant harm.
