SILKLOADER malware by Chinese hackers will leave you stunned

Cyber security company WithSecure has found the use of SILK LOADER malware, which enables them to load Cobalt Strike onto infected machines.

“During our investigations through several human-operated intrusions that resembled precursors to ransomware deployments, we came across an interesting Cobalt Strike beacon loader that leveraged DLL side-loading, which we’re tracking as SILKLOADER.”

NEW RESEARCH: WithSecure Labs publishes a report documenting the movement of SILKLOADER from Chinese cyber criminals to Russian #ransomware gangs, including CONTI and it’s various affiliates/offspring.

Read the report here–> https://t.co/6RgzjqAUs9#SILKLOADER #Cyberattack pic.twitter.com/KWGrQeWla4

— WithSecure™ (@WithSecure) March 15, 2023

Formula praxis: Working in stages

The attack takes place in stages and will trap you without being detected.

• The first stage(Shellcode loader): The threat actor did not modify and compile the open-source code to create the malicious libvlc.dll files. Instead, the malicious DLLs were created from scratch. These DLLs are designed to mimic the legitimate libvlc.dll file by including export function names found in the legitimate version.
• Anti-sandbox checks The loader contains three anti-sandbox checks that will cause execution to terminate: 

1. It checks if the username (retrieved via GetUserNameW) is “vbccsb”. This is the default username used by ThreatBook Cloud Sandbox, a platform primarily used within the Chinese cybersecurity sphere. 

2. It checks if the process command line contains the word “TRANSFER”. This is likely an anti-sandbox check for VirusTotal sandboxes. 

3. It checks if the process name (VLC executable) matches a hard-coded value.  

• The second stage (Shellcode): The loaded shellcode contains a stub that calls a decoder located at the end of the loaded shellcode to decode another stub. 

History of such attacks

The initial SILKLOADER samples found were maliciously crafted libvlc.dll files designed to be dropped alongside a legitimate but renamed VLC binary. 

Execution of the binary causes the malicious DLL to be side-loaded. It is worth noting that side-loading malware through VLC Media Player is a technique that has previously been used by threat actors 1 2 3. 

Operations leveraging DLL side-loading techniques to launch Cobalt Strike beacons such as LithiumLoader4 have also been observed in the past.

“In some of the analyzed intrusions, SILKLOADER was used to gain a foothold in a client estate to conduct post-exploitation activities after initial access.”

“The usage of SILK LOADER by PLAY ransomware operators was further confirmed by an incident response engagement reported by Sophos11 where similar TTPs and the usage of SILKLOADER led to a confirmed deployment of PLAY ransomware.”

Ending note

The outcome-based cyber security that protects and enables operations has become essential today. AI-driven protection, securing endpoints and cloud collaboration, with intelligent detection & response is what our online activity requires.  

A system powered by experts who identify business risks by proactively hunting for threats and confronting live attacks is what every company needs. Also, evidence-based security protocols must be installed for robust security measures.