StrikeShark Campaign Delivers Cobalt Strike Through SharkLoader
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
StrikeShark is a newly identified threat campaign that uses a custom malware loader called SharkLoader to deliver Cobalt Strike Beacons. The operation relies on multiple initial access methods, including exploitation of internet-facing applications and dropper-based delivery. The malware also uses advanced evasion techniques such as DLL sideloading and API hooking to slip past security defenses.
Investigation
The investigation identified SharkLoader infections across several countries and industry sectors, including diplomatic entities and software development organizations. Researchers traced the full intrusion chain, from exploitation of flaws such as ProxyLogon to execution of the final Cobalt Strike payload. The study also described the technical use of “Perfect DLL Hijacking” and sophisticated API hooking designed to reduce detection.
Mitigation
Organizations should prioritize patching internet-facing systems, especially Microsoft Exchange, SharePoint, and exposed network appliances. Deploying strong endpoint detection and response capabilities can help uncover suspicious DLL sideloading and unauthorized scheduled task creation. Security teams should also monitor abnormal parent-child process relationships, such as svchost.exe launching unexpected processes.
Response
If this activity is detected, isolate affected systems immediately to stop further lateral movement and command-and-control traffic. Conduct a full forensic investigation to determine the initial access point and the overall scope of compromise. Reset credentials for all potentially affected accounts, particularly privileged users, and review Active Directory for unauthorized changes or newly assigned group memberships.
"flowchart TD step_initial_access["Initial Access: T1210 – Exploitation of Remote Services & T1204.002 – User Execution: Malicious File. Targets vulnerabilities in Exchange/Openfire/GeoServer or uses custom droppers like Cisco AnyConnect/Google Update."] step_execution["Execution: T1574.001 – Hijack Execution Flow: DLL. Employs DLL side-loading by abusing SystemSettings.exe to load malicious SystemSettings.dll."] rules_for_execution("<b>Rule Name</b>: System Processes Execution from Untypical Paths (via process_creation)<br/><b>Rule ID</b>: f1383796-38ff-4ac0-a88f-3dd365549c7e") step_persistence["Persistence: T1053 – Scheduled Task/Job & T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder. Creates tasks like 'OneDrive Standalone Update Task' and Registry Run keys."] step_stealth["Stealth: T1027 – Obfuscated Files or Information & T1685 – Defense Impairment. Uses Blowfish/AES and zlib to hide components; installs API hooks on ETW to evade logging."] step_discovery["Discovery: T1082 – System Information Discovery & T1087.002 – Account Discovery: Domain Account. Uses PowerShell to enumerate Active Directory users and groups."] step_credential_access["Credential Access: T1003.001 – OS Credential Dumping: LSASS Memory & T1003.003 – OS Credential Dumping: NTDS. Uses Procdump64.exe for LSASS and ntdsutil for IFM copies."] step_initial_access –>|leads_to| step_execution step_execution -.->|detected_by| rules_for_execution step_execution –>|enables| step_persistence step_persistence –>|leads_to| step_stealth step_stealth –>|then| step_discovery step_discovery –>|enables| step_credential_access "
Attack Flow
Detections
Suspicious Ntdsutil Activity (via cmdline)
View
Possible Users / Groups Enumeration Attempt (via powershell)
View
Possible Account or Group Enumeration / Manipulation (via cmdline)
View
Possible System Network Configuration Discovery (via cmdline)
View
Possible System Enumeration (via cmdline)
View
Possible Services Enumeration (via cmdline)
View
Suspicious Scheduled Task Under System User (via cmdline)
View
Possible Persistence Points [ASEPs – Software/NTUSER Hive] (via registry_event)
View
System Processes Execution from Untypical Paths (via process_creation)
View
Network and System Information Enumeration by StrikeShark Campaign [Microsoft Windows Security Event Log]
View
Detection of SharkLoader’s SystemSettings.exe Usage and Active Directory Enumeration [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands: The adversary aims to establish a foothold using the SharkLoader campaign’s signature methods. First, the attacker simulates the DLL sideloading byproduct by launching a renamed version of a legitimate binary as
SystemSettings.exe. Once the process is running, the attacker attempts to gain situational awareness by enumerating the domain environment. To mimic the observed TTP, the attacker uses PowerShell to query Active Directory for user and computer objects, which is a common step during the reconnaissance phase of a domain compromise. -
Regression Test Script:
# Simulation Script for SharkLoader & AD Enumeration Detection Write-Host "[*] Starting Simulation..." -ForegroundColor Cyan # 1. Simulate SharkLoader Process Execution via SystemSettings.exe # We use notepad.exe as a proxy to simulate the behavior of the sideloaded binary Start-Process "notepad.exe" -ArgumentList "/c "This is a simulated SystemSettings.exe"" -WindowStyle Hidden # Note: In a real environment, the file itself would be named SystemSettings.exe. # For this test, we simulate the creation of the process entry. # 2. Simulate Malicious Active Directory Enumeration Write-Host "[*] Simulating AD Enumeration..." -ForegroundColor Yellow # Using standard cmdlets that the rule specifically looks for Get-ADUser -Filter * | Select-Object -First 5 Get-ADComputer -Filter * | Select-Object -First 5 Get-ADGroup -Filter * | Select-Object -First 5 Write-Host "[+] Simulation Commands Executed." -ForegroundColor Green -
Cleanup Commands:
# Cleanup script to ensure no residual processes remain Stop-Process -Name "notepad" -ErrorAction SilentlyContinue Write-Host "[*] Cleanup Complete." -ForegroundColor Cyan