Novel SharkLoader dropper used in state-backed attacks on governments, devs

Kaspersky researchers have identified a previously undocumented cyberattack campaign targeting government agencies and software development firms across several nations.

The investigation began when analysts examined a breach at a diplomatic mission in Indonesia. What first appeared to be a singular event turned out to be part of a broader global operation, which the researchers have named StrikeShark. The campaign relies on a custom-built tool called SharkLoader, a dropper that had not been seen in the wild before.

Initial access is achieved through two primary methods: exploiting known vulnerabilities in public-facing applications or tricking users into executing malicious files disguised as legitimate software. The exploited flaws span a wide range of products, including those from Microsoft (SharePoint, Exchange Server), Fortinet (FortiOS), Cisco (IOS XE), F5 (BIG-IP), Zimbra, Apache (Shiro), and Hikvision. Some of these vulnerabilities date back to 2016.

All of the vulnerabilities used have publicly available proof-of-concept exploit code, indicating that the attackers are relying on existing offensive resources rather than developing their own. While Kaspersky could not determine exactly how the SharkLoader dropper reached employees, they observed it being disguised as a Cisco AnyConnect VPN installer and a Google Update utility. Some droppers also displayed convincing decoy PDF documents, including one that appeared to be a technical document about liquid rocket engine design and another related to a biological treatment process.

Once SharkLoader is deployed, it installs a Cobalt Strike beacon, a commercial penetration-testing tool commonly used for maintaining remote access and lateral movement within networks. The threat actor then conducts extensive reconnaissance and credential theft, including dumping credentials from Windows memory and from Active Directory. With those credentials, the attackers can potentially move freely through a victim’s entire network.

The malware itself is designed to remain hidden. It disguises its components as ordinary Windows system files, abuses a legitimate Windows application to load itself, and goes to great lengths to disable the security logging that defenders rely on to detect intrusions.

The campaign has hit government organizations in Taiwan, software development companies across multiple countries, and various entities in Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, and Serbia. Post-exploitation tools used in the campaign were developed by Chinese-speaking developers on GitHub, but that is not a strong indicator that the attackers themselves are Chinese-speaking.

“Targeting of government and software development organizations may indicate a cyber-espionage objective, although our confidence remains low due to the limited post-compromise activity observed, which primarily consisted of credential access, system reconnaissance, and lateral movement,” Kaspersky researchers noted. “At the same time, the use of SharkLoader and Cobalt Strike, alongside the exploitation of public-facing applications and malicious installers and droppers, suggests the attacker may also be opportunistically targeting vulnerable systems. The absence of clear evidence of data exfiltration thus far does not exclude this possibility, as Cobalt Strike’s file operation and data exfiltration modules could be employed at a later stage.”

The researchers were unable to establish direct links to any known hacking group.