Kaspersky has uncovered a new attack campaign they’re calling StrikeShark, built around a previously unknown malware family dubbed SharkLoader. Its job is simple: get Cobalt Strike Beacon running on compromised hosts.
The targeting is broad. A diplomatic organization in Indonesia. Government bodies in Taiwan. Software companies across multiple countries. Entities in Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, and Serbia. This isn’t a narrow operation — it’s casting a wide net.
StrikeShark doesn’t map cleanly to any known threat actor, but the use of open-source tools like FScan and Pillager — commonly seen in Chinese-speaking developer communities — suggests the operator is likely Chinese-speaking.
The initial access paths are a buffet of known vulnerabilities. The attackers hit the Indonesian diplomatic target through Exchange Server’s ProxyLogon (CVE-2021-26855). Taiwanese software developers were hit via an Openfire path traversal bug (CVE-2023-32315). A Colombian organization was compromised through a critical GeoServer RCE (CVE-2024-36401).
They also weaponized CVEs in Apache Shiro, Hikvision, Microsoft SharePoint, Zimbra, Microsoft Exchange (ProxyNotShell), F5 BIG-IP, Fortinet FortiOS, React Server Components, and Cisco IOS XE Web UI. That’s opportunistic exploitation at scale, likely using publicly available PoC exploits from GitHub.
Once inside, the attackers deploy web shells and trigger a DLL side-loading chain using SystemSettings.exe to deliver SharkLoader. A second distribution method uses custom droppers disguised as legitimate software — Google Update, Cisco AnyConnect — or decoy PDF documents.
SharkLoader uses a technique called Perfect DLL Hijacking to bypass Windows Loader Lock. It decrypts and loads a component called DscCoreR.mui, which decompresses and loads Cobalt Strike in a suspended thread. Two additional components — SyncRes.dat and a MinHook DLL — install API hooks to evade memory scanning.
Post-compromise, the campaign involves Active Directory enumeration, credential theft targeting LSASS and the NTDS database, and lateral movement. Persistence comes through Registry Run keys and scheduled tasks.
References
- Kaspersky Securelist: StrikeShark campaign technical analysis
- CVE-2021-26855 (ProxyLogon)
- CVE-2023-32315 (Openfire Path Traversal)
- CVE-2024-36401 (GeoServer RCE)
- CVE-2016-4437 (Apache Shiro)
- CVE-2021-36260 (Hikvision)
- CVE-2022-41082 (ProxyNotShell)
- CVE-2023-46747 (F5 BIG-IP)
- CVE-2024-21762 (FortiOS)
- CVE-2023-20198 (Cisco IOS XE)
