StrikeShark Campaign Unleashes SharkLoader Malware to Deploy Cobalt Strike

A newly discovered malware family named SharkLoader has been identified as part of a campaign called StrikeShark, targeting a diplomatic organization in Indonesia. SharkLoader acts as a loader to deploy Cobalt Strike Beacon on compromised systems. The campaign has expanded to affect multiple countries, including Taiwan, Colombia, and several others across various sectors. Attack methods include exploiting vulnerabilities in internet-facing applications such as Microsoft Exchange (CVE-2021-26855) and Openfire (CVE-2023-32315). The threat actor's tactics involve both exploitation of known vulnerabilities and the use of custom dropper samples. Attribution to a specific threat actor remains uncertain, although the tools used suggest a connection to Chinese-speaking developers. The campaign's objectives are still under investigation.

Key Points: • SharkLoader malware is being used to deploy Cobalt Strike in a multi-country campaign. • Exploitation of CVE-2021-26855 and CVE-2023-32315 has been observed in attacks. • The campaign targets diverse sectors, including government and software development organizations.