Kaspersky GReAT has today announced the discovery of a new sophisticated malicious campaign – StrikeShark. The attackers targeted multiple organizations worldwide, including diplomatic entities in Indonesia, government agencies in Taiwan, software development companies and other organizations in Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, and Serbia. The StrikeShark campaign uses a previously undocumented malware loader – SharkLoader – to infiltrate targeted systems. Kaspersky does not attribute this campaign to any known APT group at this time, and continues tracking its activity.
Different tactics were used for initial infections. These included the exploitation of vulnerabilities in internet-facing applications such as Microsoft Exchange, Microsoft SharePoint, and Openfire servers. In other instances, attackers delivered malicious droppers disguised as legitimate software such as Google Update or Cisco AnyConnect installers. Some analyzed dropper samples used PDF documents to trick victims into unknowingly installing the malware.
The technical complexity of SharkLoader reflects a sophisticated malware design with the use of advanced techniques. After the initial infection, the malware employs DLL side-loading with various legitimate Windows applications to load encrypted malicious modules. These modules then decrypt and load additional components which are designed to install API hooks to evade detection mechanisms and ultimately inject and execute the Cobalt Strike Beacon – a legitimate penetration testing tool often misused by threat actors for command and control, reconnaissance, lateral movement, and data exfiltration within compromised systems.
“The StrikeShark campaign highlights the evolving threat landscape in which adversaries combine readily available attack tools with custom malware and advanced evasion techniques. The use of legitimate-looking lures and the exploitation of known vulnerabilities underscore the critical need for organizations to maintain rigorous patch management, robust endpoint detection and response, and comprehensive security awareness training for their employees,” comments Fareed Radzi, security researcher at Kaspersky GReAT.
Detailed information is available in the report on Securelist.com.
To stay protected, Kaspersky recommends:
- Implement regular software updates to all applications to patch known vulnerabilities.
- Use proven security solutions to detect and block malware droppers.
- Train staff to increase cybersecurity awareness.
- Secure corporate devices with a comprehensive system that detects and blocks attacks in the early stages.
- Stay ahead of complex threats with clear, actionable intelligence. Detect emerging attacks earlier and make better security decisions with access to one of the world’s largest cybersecurity knowledge bases.
About the Global Research & Analysis Team
Established in 2008, Global Research & Analysis Team (GReAT) operates at the very heart of Kaspersky, uncovering APTs, cyber-espionage campaigns, major malware, ransomware and underground cyber-criminal trends across the world. Today GReAT consists of 35+ experts working globally – in Europe, Russia, Latin America, Asia and the Middle East. Talented security professionals provide company leadership in anti-malware research and innovation, bringing unrivaled expertise, passion and curiosity to the discovery and analysis of cyberthreats.
