2022-04-13

Colibri Loader

Level: 
Tactical
  |  Source: 
Malwarebytes
Share:

Colibri Loader

Industry: N/A | Level: Tactical | Source: Malwarebytes

Malwarebytes provided analysis on Colibri Loader, a malware that emerged in underground forums in August 2021. The malware is advertised to “people who have large volumes of traffic and lack of time to work out the material.“ A recently observed attack chain identified Colibri Loader delivering Vidar information stealer. The campaign begins with the execution of a malicious document triggering PowerShell to download the Colibri Loader with BitsTransfer. Contingent on the Windows version 7 or 10, the malware's directory location and the scheduled task are different. Notably, the Windows 10 version achieves a new persistence technique as the scheduled task runs PowerShell with a hidden window. Additionally, the malware utilizes a file name of Get-Variable.exe, takes advantage of a valid PowerShell cmdlet, Get-Variable. As described by Malwarebytes "WindowsApps is by default in the path where PowerShell is executed. When the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet. We reproduced this technique using the calculator to show how an adversary can easily achieve persistence combining a scheduled task and any payload (as long as it is called Get-Variable.exe and placed in the proper location)."

  • Anvilogic Scenario: Colibri Loader - Initial Access with BitsTransfer and Schtasks
  • Anvilogic Use Cases:
  • BitsAdmin NetCat PowerCat File Transfer
  • BITSadmin Execution
  • Executable Process from Suspicious Folder
  • Create/Modify Schtasks
  • Executable File Written to Disk
  • Suspicious DLLhost Execution
  • Command and Control Beaconing via WEB

Chat with our team to receive a free maturity assessment

Get in Touch