Chinese malware downloader Silkloader fell into the hands of Russian hackers
Investigation of cyber threats will soon become more complex, because completely different groups of attackers are increasingly using the same malicious tools.
Threat researchers from the company WithSecure disclosed information about how cybercriminal groups exchange hacker tools with each other. A tool tracked by the research team called Silkloader is a beacon loader that uses the Sideloading DLL in VLC Media Player to download and run C2 framework Cobalt Strike.
“Cobalt Strike beacons are very well known, and their detection on a protected vehicle is almost guaranteed. However, the attackers use the popular legitimate application VLC Media Player, which is susceptible to sideloading malicious DLLs. In this way, attackers really manage to bypass anti-virus solutions and inject malware,” said WithSecure researchers.
According to the researchers, the Silkloader was first used last year when it was deployed by Chinese hackers against targets in East Asia, mainly China and Hong Kong. However, this campaign of cybercriminal activity waned and ended in July 2022. Then, towards the end of the year, WithSecure discovered a number of cyber-intrusions using the same Silkloader, but in a number of European countries.
“We believe that Silkloader is currently being distributed within the Russian cybercrime ecosystem as a ready-made Packer-as-a-Service loader to ransomware groups or through the Cobalt Strike infrastructure,” said Hasan Nejad, an expert with WithSecure.
According to Nejad, it is likely that the Chinese operator of Silkloader, who may even have been an independent programmer, sold the loader to Russian hackers. Nejad suggests that the buyer may have been someone closely associated with the now defunct Conti faction.
Paolo Palumbo, vice president of WithSecure Intelligence, said the apparent availability of Silkloader as a service also highlights how difficult it can be to counter financially motivated cybercrime.
“Attackers are using the cybercrime industry to acquire new capabilities and technologies to quickly tailor their operations to suit their needs. This complicates expert investigation, because it is much more difficult to associate certain resources and tools with a specific group or mode of operation,” Palumbo said.
“On the other hand, this sharing of the same infrastructure by hackers gives us the opportunity to adhere to a certain vector of defensive strength, with which we can defend against several groups of attackers at the same time, creating strategies to effectively counter the resources they use,” the vice vice president summed up optimistically. president of WithSecure.