Researchers Palo Alto 42 described 3 new COBABALT STRICA loaders , each of which loads different types of implants – SMB Beacon, Dll Beacon and Cobalt Strike.
smb beacon (koboldloader)
In order to get around the sandboxes that intercept only the functions of a high -level user regime, it causes built -in API functions. To complicate the analysis, it performs the functions using a hash instead of using simple text lines.
Koboldloader creates a subsidiary of the Windows “Sethc.exe” tool, then creates a new section and compares with it the decrypted loader of the Cobalt Strike beacon. The final execution of the Cobalt Strike bootloader occurs by calling “RTLCreateuserthread”.
DLL Beacon (Magnetloader)
Magnetloader imitates the legal library of Windows. All exported Magnetloader functions cause the same main subprogram of malicious software. When any function is called, the DLL entrance point is launched, at which the malicious software loads the original “MSCMS.DLL” library and allows all the fake functions.
The Cobalt Strike lighthouse bootloader deciphens into the memory buffer and starts using the reverse call parameter of the Windows API “Enumchildwindows”. Malicious software can abuse this parameter in order to indirectly call the address through the reverse call function and hide the flow of execution.
Steiger (Lithiumloader)
Lithiumloader is distributed through the Forticlient VPN legitimate installation package, created by the attacker and presented by Virustotal as ForticlientVPn_Windows.exe. Since the file is signed, it is not detected by antivirus software.
The installation program is a self-setting RAR archive containing the following files:
When the installer is launched, all files are automatically placed in the local “%Appdata%” folder and both executable files are launched. During the execution of the Forticlient VPN installer, the Wingup tool additionally uploads the malicious Libcurl.dll library, importing some functions from the Libcurl legitimate copy.
When compiling the Lithiumloader library, the malicious scenario of one of the functions is introduced into the legitimate library. Then this function triggers the shell code of the Cobalt Strike steagter indirectly through the EnumSystemgeoid reverse call function. Shell-code of the Cobalt Strike steagter is borrowed from Metasploit and is a reverse useful load of HTTP shelling.