Deceptive Installers Open the Door
Security researchers have identified a new malware campaign using fake installers for popular software like Cisco AnyConnect and Google Update. The attackers behind this operation, tracked as StrikeShark, package a sophisticated loader called SharkLoader inside these convincing forgeries. When victims download and run what they believe is a legitimate update, they unwittingly activate malicious code. The loader then abuses a common technique called DLL side loading, often hijacking a genuine Windows program named SystemSettings.exe to load a harmful file without triggering alarms.
Evasion and Network Compromise
SharkLoader is designed to operate almost entirely in memory, decrypting and running its payload while leaving few traces for traditional antivirus tools. It hooks Windows API calls and redirects them to raw system calls generated on the fly to avoid detection. The malware also tampers with Windows event logging and spoofs process parent IDs to blend into normal system activity. Once established, the operators deploy Cobalt Strike Beacon for lateral movement and conduct reconnaissance, credential theft, and extraction of Active Directory databases.
Global Targeting and Mitigation
Confirmed victims include government agencies, diplomatic missions, and software firms across a wide range of countries including Indonesia, Taiwan, Hong Kong, Lebanon, Syria, Colombia, and Serbia. The broad geographic spread suggests the attackers are casting a wide net rather than focusing on a single target, though the concentration on government networks raises questions about intelligence gathering. Researchers recommend that organizations prioritize patching internet facing applications and network appliances, as exploitation of known vulnerabilities remains the primary entry method. Security teams should also monitor for unusual DLL side loading behavior and signs of in memory execution.
Source: Cyber Security News
