Chinese and Russian Hackers Using SILKLOADER Malware to Evade Detection

Home/Internet Security, malicious cyber actors, Malicious extension, Malware, Security Advisory, Security Update/Chinese and Russian Hackers Using SILKLOADER Malware to Evade Detection

Chinese and Russian Hackers Using SILKLOADER Malware to Evade Detection

A piece of malware designed to load Cobalt Strike beacons onto victim machines has been traced back to both Chinese and Russian threat actors.

SILKLOADER Malware

Finnish security vendor WithSecure claimed in a new report that it detected “SilkLoader” in several human-operated intrusions that were likely the precursor to a ransomware attack.

The malware uses DLL sideloading to load the beacons, which are commonly used in such attacks as part of command-and-control (C2) infrastructure, to download additional payloads on targeted machines.

It seems to have been specifically built to obscure the Cobalt Strike beacons. This is a useful thing to be able to do, as WithSecure researcher Mohammad Kazem Hassan Najad, who worked on the research alongside colleagues Bert Steppé and Neeraj Singh, explained.

The tool itself is just the latest example of threat actors innovating to stay one step ahead of network defenders. In the case of Cobalt Strike, the tool is so well known that defensive measures will usually detect and contain the threat.

“Cobalt Strike beacons are very well known and detections against them on a well-protected machine are all but guaranteed,” he said. “However, by adding additional layers of complexity to the file content and launching it through a known application such as VLC Media Player via sideloading, the attackers hope to evade these defence mechanisms.”

Indicators of Compromise

0248572780e94f3557c50d2c161365f09b175438ed5e750ccc5b5f1c895118c2 SILKLOADER libvlc.dll
2e57d2d14d8f98464e501d99dad0ae2c2f237b45aceecb73850c17ad1455e39c SILKLOADER libvlc.dll
3d1df6633ec9b16f856c6ddf7c40138e524f7c5e286af2271e32643f88f071a2 SILKLOADER libvlc.dll
4346d2098d93a7f6fddd4c37333f8ec17ff548c97f365b831abbb63dd426ed4b SILKLOADER libvlc.dll
54d45b872ee6651d670c3580da74ca56f626bc6ed5ce60cc7e3ba71bb68cd23f SILKLOADER libvlc.dll
5623f7b2a3e459d91ed85d20c20b58fb7edc166c63a3a72b703d7af400bdc12c SILKLOADER libvlc.dll
56377607abfb0616fc1dc222cc765966954155b69b5c4b16cad92cdd353720a4 SILKLOADER libvlc.dll
575caa641dbb83364e8c0664737666f3bcd24d40316ff149c9ef476115b927cb SILKLOADER libvlc.dll
7070b232de836ce33b7778f6b6f7aecb252d542831367bc78d0eea77461be9a7 SILKLOADER libvlc.dll
7c2ea97f8fff301a03f36fb6b87d08dc81e948440c87c2805b9e4622eb4e1991 SILKLOADER libvlc.dll
7d438e1664448dce4a1fb9536b1a9496505fec2ae535ca37dd0299ac70355400 SILKLOADER libvlc.dll
972ab4694d8177e65de6aef5b6eb0c1e1cafd1cad7bdea484e37ffb156184f34 SILKLOADER libvlc.dll
a6fff6890c0b6642931f9b0bfd67f830bb85af0f218280776170abfcc5baa576 SILKLOADER libvlc.dll
c83ac6dc96febd49c7c558e8cf85dd8bcb3a84fdc78b3ba72ebf681566dc1865 SILKLOADER libvlc.dll
d77a59e6ba3a8f3c000a8a8955af77d2898f220f7bf3c0968bf0d7c8ac25a5ad SILKLOADER libvlc.dll
e4dadabd1cee7215ff6e31e01f6b0dd820851685836592a14f982f2c7972fc25 SILKLOADER libvlc.dll
f1f5142a456e8a316b281ad7f2fe1b463d93f30460a6be3afa9c5593f1392656 SILKLOADER libvlc.dll
262d966fd82312bcb82b056b2dc378b173f5c335917bc53125aef7f5a03cfce4 SILKLOADER libvlc.dll

1ef852362ab9bb0af061eb8a19556962c7f5a350e3ef0c2751401afd4cef9f3e BAILLOADER
676ace0449fbad2f5498df7b16c3576f73252f23032604e1a94ce4b5a855974e BAILLOADER
70826162169e5326601d85a0b459645c6bf8fda641d3d3015c035da0cf16db42 BAILLOADER
75288b3d1da8d634477609ea804a351915aa7f0a12a50e1eba1d8578debc8ab2 BAILLOADER
994f2777f175a6fb784df7b138069f0a6503a458df67915317f23a0a37c16067 BAILLOADER
a0b496d927dd1b2e01fcb29c2ef76671e34e7cd841e485c401e15dccad8e897e BAILLOADER
d93155adefca33960a5a125f10854dc8178e80e9bf3b86600a4c59647dd80114 BAILLOADER
0322f9201a3887659f7568f3f2292248e29afc19a6e80cdda6915834a3fc925d RPC Task Scheduler
9c1914143b0ba7fa15848223d0695664fc8225c37eed09eeb00e0af1b7ee0d7b SILKLOADER dropper
bf02668f884937f697af326a6678fe5c1d3844e104da8c4049f23d63dcb5bb5c SILKLOADER dropper
d378d01f863454911a345869b66d60769a894c74dfebaa0a9a07efc884a3d15c SILKLOADER dropper
04c7a062a9bd9fe6fe1b0c4e72e319aff866a42b21d8971f1215c347ee5e8980 Cobalt Strike Go Beacon
e24be344923aea8223fe90f23bfa7151b149ef032e67ba5972a9a10bd63effc6 Cobalt Strike Go Beacon
326383ed5b2480fac2b5aad00c7ae198f290f0ec4c86503b86fabe748cdf904e Cobalt Strike Go Beacon

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!