Colibri Loader

Malwarebytes provided analysis on Colibri Loader, a malware that emerged in underground forums in August 2021. The malware is advertised to “people who have large volumes of traffic and lack of time to work out the material.“ A recently observed attack chain identified Colibri Loader delivering Vidar information stealer. The campaign begins with the execution of a malicious document triggering PowerShell to download the Colibri Loader with BitsTransfer. Contingent on the Windows version 7 or 10, the malware's directory location and the scheduled task are different. Notably, the Windows 10 version achieves a new persistence technique as the scheduled task runs PowerShell with a hidden window. Additionally, the malware utilizes a file name of Get-Variable.exe, takes advantage of a valid PowerShell cmdlet, Get-Variable. As described by Malwarebytes "WindowsApps is by default in the path where PowerShell is executed. When the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet. We reproduced this technique using the calculator to show how an adversary can easily achieve persistence combining a scheduled task and any payload (as long as it is called Get-Variable.exe and placed in the proper location)."