Kaspersky Global Research and Analysis Team has announced the discovery of a new sophisticated malicious campaign – StrikeShark. The attackers targeted multiple organisations worldwide, including diplomatic entities in Indonesia, government agencies in Taiwan, software development companies and other organisations in Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, and Serbia. The StrikeShark campaign uses a previously undocumented malware loader – SharkLoader – to infiltrate targeted systems. Kaspersky does not attribute this campaign to any known APT group at this time, and continues tracking its activity.
Different tactics were used for initial infections. These included the exploitation of vulnerabilities in Internet-facing applications such as Microsoft Exchange, Microsoft SharePoint, and Openfire servers. In other instances, attackers delivered malicious droppers disguised as legitimate software such as Google Update or Cisco AnyConnect installers. Some analysed dropper samples used PDF documents to trick victims into unknowingly installing the malware.
The technical complexity of SharkLoader reflects a sophisticated malware design with the use of advanced techniques. After the initial infection, the malware employs DLL side-loading with various legitimate Windows applications to load encrypted malicious modules. These modules then decrypt and load additional components which are designed to install API hooks to evade detection mechanisms and ultimately inject and execute the Cobalt Strike Beacon – a legitimate penetration testing tool often misused by threat actors for command and control, reconnaissance, lateral movement, and data exfiltration within compromised systems.
“The StrikeShark campaign highlights the evolving threat landscape in which adversaries combine readily available attack tools with custom malware and advanced evasion techniques. The use of legitimate-looking lures and the exploitation of known vulnerabilities underscore the critical need for organisations to maintain rigorous patch management, robust endpoint detection and response, and comprehensive security awareness training for their employees,” comments Fareed Radzi, security researcher at Kaspersky GReAT.
To stay protected, Kaspersky recommends:
- Implement regular software updates to all applications to patch known vulnerabilities.
- Use proven security solutions to detect and block malware droppers.
- Train staff to increase cybersecurity awareness.
- Secure corporate devices with a comprehensive system that detects and blocks attacks in the early stages.
- Stay ahead of complex threats with clear, actionable intelligence. Detect emerging attacks earlier and make better security decisions with access to one of the world’s largest cybersecurity knowledge bases.
Detailed information is available in the report on Securelist.com.
