Kaspersky's Global Research and Analysis Team (GReAT), the cybersecurity company's threat intelligence and incident response division, has identified a malware campaign dubbed StrikeShark that has targeted government agencies, diplomatic organizations and private sector companies in multiple regions using a previously undocumented malware loader.
According to Kaspersky, the campaign has affected diplomatic entities in Indonesia, government agencies in Taiwan, software development companies and organizations in Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal and Serbia. The company said it has not attributed the activity to any known advanced persistent threat group and continues to monitor the operation.
Researchers found that the attackers relied on multiple entry points to compromise victim environments. Some intrusions exploited known vulnerabilities in internet facing applications, including Microsoft Exchange, Microsoft SharePoint and Openfire servers. In other cases, victims were lured into downloading malicious droppers disguised as legitimate software such as Google Update or Cisco AnyConnect installers. Kaspersky also analyzed samples that used PDF documents to persuade users to install the malware.
Once a system is compromised, the campaign deploys SharkLoader, a malware loader that uses DLL side loading with legitimate Windows applications to execute encrypted malicious modules. Those modules decrypt additional components that install API hooks to evade security controls before injecting Cobalt Strike Beacon, a penetration testing tool that threat actors often misuse for command and control, reconnaissance, lateral movement and data exfiltration.
“The StrikeShark campaign highlights the evolving threat landscape in which adversaries combine readily available attack tools with custom malware and advanced evasion techniques. The use of legitimate-looking lures and the exploitation of known vulnerabilities underscore the critical need for organisations to maintain rigorous patch management, robust endpoint detection and response, and comprehensive security awareness training for their employees,” comments Fareed Radzi, security researcher at Kaspersky GReAT.
Based on its investigation, Kaspersky recommends that organizations reduce exposure by applying software updates to address known vulnerabilities, deploying security tools capable of detecting malware droppers, providing cybersecurity awareness training for employees and using endpoint protection that can identify attacks during the early stages of an intrusion.
