Chinese cyber crime tool believed to be acquired by Russian ransomware gangs

The cyber crime industry allows threat actors to share tradecraft with one another, driving growth in the number and capabilities of threats. A new report from WithSecure (formerly known as F-Secure business) illustrates this dynamic by documenting the migration of the “SILKLOADER” cyber attack tool from Chinese cyber criminals to Russian ransomware gangs.

WithSecure researchers first discovered SILKLOADER when it was used in an attack against a social welfare organisation in France. According to the report, it has been used in attacks since at least early 2022.

Before summer 2022, it was used exclusively by Chinese cyber criminals against targets in East Asia, predominantly Hong Kong and China. However, SILKLOADER activity ceased in July.

SILKLOADER was not seen again until September, when it reappeared in a different set of attacks against different targets in different countries, including Taiwan, Brazil and France.

WithSecure researchers concluded that SILKLOADER had moved to the Russian cyber crime ecosystem. The most likely explanation is that Chinese cyber criminals sold it to Russian counterparts.

"We believe SILKLOADER is currently distributed within the Russian cyber crime ecosystem as an off-the-shelf loader through a Packer-as-a-Service program to ransomware groups, or possibly via groups offering Cobalt Strike/Infrastructure-as-a-Service to trusted affiliates. We have usually seen it during hands-on intrusions in the early stages of what look like ransomware attacks,” said WithSecure Intelligence Researcher Mohammad Kazem Hassan Nejad. “Most of the affiliates appear to have been part of or have had close working relationships with the CONTI group, its members and offspring after its alleged shutdown.”

SILKLOADER, a type of malware called a loader, abuses a technique known as DLL side-loading using VLC Media Player to launch Cobalt Strike beacons on devices. These beacons give attackers ongoing access to infected devices for further use.

According to Hassan Nejad, the loader was built to obscure the Cobalt Strike beacons so that they can evade defence mechanisms on a victim’s machine.

"Cobalt Strike beacons are very well known and detections against them on a well-protected machine are all but guaranteed. However, by adding additional layers of complexity to the file content and launching it through a known application such as VLC Media Player via side-loading, the attackers hope to evade these defence mechanisms,” he said.

Confronting cyber crime services

According to WithSecure Intelligence Vice-President, Paolo Palumbo, the loader’s availability as a service that can be bought by different threat actors highlights the challenge in countering tradecraft available in the cyber crime industry.

“Attackers are using the cyber crime industry to acquire new capabilities and technologies so they can quickly adapt their operations for their targets’ defences. That makes it difficult for us to associate resources with a particular group or mode of operations. On the other hand, this sharing of infrastructure offers us a defensive force-multiplier through which we can defend against several groups at once by creating strategies to counter resources they share,” said Palumbo.

WithSecure Elements and WithSecure Countercept Managed Detection and Response have multiple detections for SILKLOADER and its related activity. More information on these solutions is available at https://www.withsecure.com/en/solutions.

An overview of SILKLOADER, including indicators of compromise, is available at https://labs.withsecure.com/publications/silkloader.