Colibri Loader Malware Detection: Unusual Persistence Using PowerShell

Karolina Koval
Latest posts by Karolina Koval (see all)
WRITTEN BY
Karolina Koval
[post-views]
April 07, 2022 · 4 min read
COLIBRI LOADER EXPLOITS POWERSHELL

A malware loader Colibri that appeared not so long time ago – in August 2021, has been recently discovered delivering Vidar payloads in a new ongoing Colibri Loader campaign. Researchers indicate that Colibri uses an unusual persistence technique that hasn’t been tracked until this time. Updated functionality motivates adversaries to keep selling their new malware creation to other cybercriminals who seek unconventional and hard-to-detect ways of establishing and maintaining persistence.

Continue reading to learn more about the path of Colibri Loader and discover our newest detection content crafted specifically for this latest malware version.

Colibri Loader Campaign: How to Detect

You can try to detect Colibri Loader malware with the help of our newest Sigma-based rule created by our Threat Bounty developer Kaan Yeniyol. This rule is specifically targeted at detecting the newest persistence method leveraged by threat actors and addressing the Scheduled Task/Job (T1053) technique from the MITRE ATT&CK® framework.

Suspicious Colibri Loader Persistence by PowerShell Creating Scheduled Task (via security)

To keep track of our newest detections regarding Colibri Loader and malware associated with likewise attacks, you can use features of our advanced search. Just click the button View Detections, log into your account, and customize your search criteria just the way you like it. And if you are an established professional in threat hunting and threat detection, you can contribute to our global crowdsourcing initiative and monetize by creating your own detection

View Detections Join Threat Bounty

Colibri Loader Malware Analysis

The initial version of Colibri Loader that was created last summer, was delivering an EXE file with a self-modifying code through trojanized files. In an ongoing campaign, the attack chain also starts with an infected Word document that launches the operation of a Colibri bot and establishes an unusual persistence tactic. Meanwhile, Vidar Stealer is responsible for the rest of the malicious mission on the victim’s computer.

Previous campaigns established a connection with the C2 server by downloading a corresponding payload /gate.php and then sending an HTTP GET request by calling the function HttpSendRequestW. In this new variant of the Colibri Loader payload, the attack starts by initiating a remote template injection. The infected document communicates with a remote server to download a DOT template that then contacts the malicious macro. The latter, in turn, enables PowerShell to download an EXE file that contains a final Colibri’s payload.

A thing about PowerShell exploit in this campaign is that it is being used in quite a unique way in order to maintain the persistence of the infected machine. It’s worth mentioning that Colibri Loader has different versions of its executables that allow persistence for different versions of Windows: one for 10 and 11, and another one for older versions (Windows 7 and 8). Locations for dropping these files also vary. Yet generally, those malicious files run masquerading as legitimate PowerShell’s cmdlets. For example, a malicious file called Get-Variable.exe dropped in the WindowsApps directory (native path for PowerShell execution) coincides with the similar Get-Variable cmdlet that is being normally used in PowerShell. As a result, malicious binary runs instead of normal command.

Researchers also noticed the execution of PowerShell in a hidden window which they believe to be a specific new feature of this latest vector of attack leveraged by Colibri. The fact that it is new and not sufficiently studied yet by security analytics facilitates the process of Colibri Loader gaining popularity in dark cyber markets. Continuously adjusting the cybersecurity defenses to outplay adversaries might seem challenging, yet it can become more efficient if reaping the benefits of collaborative defense. Join SOC Prime’s Detection as Code platform and gain instant access to the global pool of detection content that is being constantly updated to withstand the emerging threats.

 

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.
Join for Free Book a Meeting

Related Posts

Forest Blizzard (aka Fancy Bear or APT28)
Blog, Latest Threats — 4 min read
Forest Blizzard aka Fancy Bear Attack Detection: russian-backed Hackers Apply a Custom GooseEgg Tool to Exploit CVE-2022-38028 in Attacks Against Ukraine, Western Europe, and North America
Veronika Telychko
UAC-0133 (Sandworm) Reemerges
Blog, Latest Threats — 5 min read
UAC-0133 (Sandworm) Attack Detection: russia-Linked Hackers Aim to Cripple the Information and Communication Systems of 20 Critical Infrastructure Organizations Across Ukraine
Veronika Telychko
UAC-0149
Blog, Latest Threats — 3 min read
UAC-0149 Attacks Ukrainian Defense Forces Using Signal, CVE-2023-38831 Exploits, and COOKBOX Malware
Daryna Olyniychuk