Chinese cyber crime tool believed to be acquired by Russian ransomware gangs
WithSecure report documenting the movement of SILKLOADER from China to Russia highlights implications of co-operation among threat actors.
The cyber crime industry allows threat actors to share tradecraft with one another, driving growth in the number and capabilities of threats. A new report from WithSecure (formerly known as F-Secure business) illustrates this dynamic by documenting the migration of the “SILKLOADER” cyber attack tool from Chinese cyber criminals to Russian ransomware gangs.
WithSecure researchers first discovered SILKLOADER when it was used in an attack against a social welfare organisation in France. According to the report, it has been used in attacks since at least early 2022.
Before summer 2022, it was used exclusively by Chinese cyber criminals against targets in East Asia, predominantly Hong Kong and China. However, SILKLOADER activity ceased in July.
SILKLOADER was not seen again until September, when it reappeared in a different set of attacks against different targets in different countries, including Taiwan, Brazil and France.
WithSecure researchers concluded that SILKLOADER had moved to the Russian cyber crime ecosystem. The most likely explanation is that Chinese cyber criminals sold it to Russian counterparts.
"We believe SILKLOADER is currently distributed within the Russian cyber crime ecosystem as an off-the-shelf loader through a Packer-as-a-Service program to ransomware groups, or possibly via groups offering Cobalt Strike/Infrastructure-as-a-Service to trusted affiliates. We have usually seen it during hands-on intrusions in the early stages of what look like ransomware attacks,” said WithSecure Intelligence Researcher Mohammad Kazem Hassan Nejad. “Most of the affiliates appear to have been part of or have had close working relationships with the CONTI group, its members and offspring after its alleged shutdown.”
SILKLOADER, a type of malware called a loader, abuses a technique known as DLL side-loading using VLC Media Player to launch Cobalt Strike beacons on devices. These beacons give attackers ongoing access to infected devices for further use.
According to Hassan Nejad, the loader was built to obscure the Cobalt Strike beacons so that they can evade defence mechanisms on a victim’s machine.
"Cobalt Strike beacons are very well known and detections against them on a well-protected machine are all but guaranteed. However, by adding additional layers of complexity to the file content and launching it through a known application such as VLC Media Player via side-loading, the attackers hope to evade these defence mechanisms,” he said.
Confronting cyber crime services
According to WithSecure Intelligence Vice-President, Paolo Palumbo, the loader’s availability as a service that can be bought by different threat actors highlights the challenge in countering tradecraft available in the cyber crime industry.
“Attackers are using the cyber crime industry to acquire new capabilities and technologies so they can quickly adapt their operations for their targets’ defences. That makes it difficult for us to associate resources with a particular group or mode of operations. On the other hand, this sharing of infrastructure offers us a defensive force-multiplier through which we can defend against several groups at once by creating strategies to counter resources they share,” said Palumbo.
WithSecure Elements and WithSecure Countercept Managed Detection and Response have multiple detections for SILKLOADER and its related activity. More information on these solutions is available at https://www.withsecure.com/en/solutions.
An overview of SILKLOADER, including indicators of compromise, is available at https://labs.withsecure.com/publications/silkloader.
WithSecure™, formerly F-Secure Business, is cyber security's reliable partner. IT service providers, MSSPs and businesses – along with the largest financial institutions, manufacturers, and thousands of the world's most advanced communications and technology providers – trust us for outcome-based cyber security that protects and enables their operations. Our AI-driven protection secures endpoints and cloud collaboration, and our intelligent detection and response are powered by experts who identify business risks by proactively hunting for threats and confronting live attacks. Our consultants partner with enterprises and tech challengers to build resilience through evidence-based security advice. With more than 30 years of experience in building technology that meets business objectives, we've built our portfolio to grow with our partners through flexible commercial models.
WithSecure™ Corporation was founded in 1988, and is listed on NASDAQ OMX Helsinki Ltd.