{"id":10439,"date":"2023-03-16T16:22:00","date_gmt":"2023-03-16T16:22:00","guid":{"rendered":"https:\/\/www.withsecure.com\/resources-hub\/w-labs\/silkloader\/"},"modified":"2023-03-16T16:22:00","modified_gmt":"2023-03-16T16:22:00","slug":"silkloader","status":"publish","type":"lab_item","link":"https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/w-labs\/silkloader\/","title":{"rendered":"Silkloader"},"content":{"rendered":"\n
\n

\n SILKLOADER : Journey of a Cobalt Strike beacon loader along the silk road<\/span><\/h1> <\/div>\n<\/section>\n\n\n\n
\n
\n
\n \"\" <\/figure>\n <\/div>\n <\/div>\n<\/section>\n\n\n\n
\n
\n
\n

\n Authors <\/p>\n \n

\n
\n
\n \"\" <\/div>\n
\n

Mohammad Kazem Hassan Nejad<\/h3>\n \n

\n Senior Threat Intelligence Researcher, WithSecure <\/p>\n \n <\/div>\n\n<\/div>\n\n

\n
\n \n \n <\/path>\n <\/path>\n <\/svg>\n <\/span>\n <\/div>\n
\n

Bert Stepp\u00e9<\/h3>\n \n \n <\/div>\n\n<\/div>\n\n <\/div>\n\n
\n \n \u3059\u3079\u3066\u306e\u8457\u8005\u3092\u898b\u308b
\n
\n \n \n <\/path>\n <\/path>\n <\/svg>\n <\/span>\n <\/div>\n
\n

Neeraj Singh<\/h3>\n \n \n <\/div>\n\n<\/div>\n\n <\/div>\n <\/div>\n <\/div>\n
\n

\n Download report <\/p>\n \n

\n
\n \n Click here
\n
\n

\n Share this story <\/p>\n

\n \n \n
\n
\n

Commercial and open-source command-and-control (C2) frameworks have become a staple in most adversary toolkits, with Cobalt Strike (CS) being one of the most popular. Such frameworks are often leveraged by threat actors to stage and conduct post-exploitation attacks in compromised client estates.<\/p>\n

The prevalence of Cobalt Strike usage in attacks has precipitated a drive towards the creation of improved detection capabilities against it. Conversely, adversaries have responded to this by implementing their own detection evasion strategies. The most common of these include adding complexity to the auto-generated beacon or stager payloads via the utilization of packers, crypters, loaders, or similar techniques. While some threat actors rely on commercial crypters, others opt to develop their own custom crypters or take existing custom crypters into use.<\/p>\n

During our investigations through several human-operated intrusions that resembled precursors to ransomware deployments, we came across an interesting Cobalt Strike beacon loader that leveraged DLL side-loading, which we\u2019re tracking as SILKLOADER. By taking a closer look at the loader, we found several activity clusters leveraging this loader within the Russian as well as Chinese cybercriminal ecosystems.<\/p>\n

In this report we share technical analysis of SILKLOADER and highlight notable activity clusters where it was seen in our investigations.<\/p>\n<\/div>\n <\/div>\n <\/div>\n<\/section>\n\n\n\n

\n
\n
\n
\n

\n What next?<\/span><\/h2>
\n
\n

Discover WithSecure\u2122 Elements Exposure Management.
\n– No credit card required. No obligations.No complexity.<\/p>\n<\/div>\n <\/div>\n <\/div>\n

\n Contact us<\/a> <\/div>\n <\/div> <\/div>\n <\/div>\n<\/section>\n\n\n\n\n\n
\n
\n

\n Related Labs content<\/span><\/h2>
\n
\n
\n

Find related content relating to this topic.<\/span><\/p>\n<\/div>\n <\/div>\n <\/div>\n <\/div> \n

\n
\n
\n
\n \"\"

W\/\u30e9\u30dc<\/p>\n <\/div>\n

\n
\n
\n Attack Detection<\/span>\n Software Protection<\/span>\n Threat intelligence<\/span>\n <\/div>\n <\/div>\n

DarkGate Rises: New version of DarkGate malware hunts like a Duck but bites like a RAT<\/h3>\n

Source: https:\/\/labs.withsecure.com\/publications\/darkgate-rises<\/p>\n

\n \u3082\u3063\u3068\u8aad\u3080<\/a> <\/div>\n <\/div>\n<\/div> <\/div>\n
\n
\n
\n \"\"

W\/\u30e9\u30dc<\/p>\n <\/div>\n

\n
\n
\n Attack Detection<\/span>\n Software Protection<\/span>\n Threat intelligence<\/span>\n <\/div>\n <\/div>\n

Reverse engineering a Lumma infection<\/h3>\n

Lumma is an information stealer that the WithSecure Detection and Response Team (DRT) have encountered several times. It has seen wider use over the past couple of years, and makes for an interesting threat to monitor.<\/p>\n

\n \u3082\u3063\u3068\u8aad\u3080<\/a> <\/div>\n <\/div>\n<\/div> <\/div>\n
\n
\n
\n \"\"

W\/\u30e9\u30dc<\/p>\n <\/div>\n

\n
\n
\n AI security<\/span>\n Attack Detection<\/span>\n Software Protection<\/span>\n <\/div>\n <\/div>\n

Machine learning-driven malware analysis<\/h3>\n

With the rapid emergence of new malware variants, accurately classifying and attributing malware samples has become more challenging than ever<\/p>\n

\n \u3082\u3063\u3068\u8aad\u3080<\/a> <\/div>\n <\/div>\n<\/div> <\/div>\n <\/div>\n
\n
\n <\/div>\n
\n
\n

Commercial and open-source command-and-control (C2) frameworks have become a staple in most adversary toolkits, with Cobalt Strike (CS) being one of the most popular.<\/p>\n","protected":false},"author":3,"featured_media":0,"template":"","categories":[314,315,316],"labs_content_type":[333,377],"class_list":["post-10439","lab_item","type-lab_item","status-publish","hentry","category-attack-detection","category-software-protection","category-threat-intelligence"],"acf":[],"card":"

\n
\n \"\"

W\/\u30e9\u30dc<\/p>\n <\/div>\n

\n
\n
\n Attack Detection<\/span>\n Software Protection<\/span>\n Threat intelligence<\/span>\n <\/div>\n <\/div>\n

Silkloader<\/h3>\n

Commercial and open-source command-and-control (C2) frameworks have become a staple in most adversary toolkits, with Cobalt Strike (CS) being one of the most popular.<\/p>\n

\n \u3082\u3063\u3068\u8aad\u3080<\/a> <\/div>\n <\/div>\n<\/div>","_links":{"self":[{"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/lab_item\/10439","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/lab_item"}],"about":[{"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/types\/lab_item"}],"author":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/users\/3"}],"wp:attachment":[{"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/media?parent=10439"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/categories?post=10439"},{"taxonomy":"labs_content_type","embeddable":true,"href":"https:\/\/www.withsecure.com\/jp-ja\/wp-json\/wp\/v2\/labs_content_type?post=10439"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}