Chinese Silkloader cyber attack tool falls into Russian hands

Threat researchers at WithSecure have revealed intelligence on how cyber criminal gangs are sharing tools along the historic Silk Roads of Eurasia, after finding a tool known to have been developed by Chinese cyber criminals being taken up enthusiastically among Russian-speaking ransomware operators.

The tool, tracked by the research team as Silkloader, is a beacon loader that leverages dynamic link library (DLL) side-loading, exploiting the legitimate VLC Media Player to upload and launch the open source Cobalt Strike command-and-control (C2) framework – a reliable staple in most cyber criminal arsenals – to their victims’ systems.

It seems to have been specifically built to obscure the Cobalt Strike beacons. This is a useful thing to be able to do, as WithSecure researcher Mohammad Kazem Hassan Najad, who worked on the research alongside colleagues Bert Steppé and Neeraj Singh, explained.

“Cobalt Strike beacons are very well known and detections against them on a well-protected machine are all but guaranteed,” he said. “However, by adding additional layers of complexity to the file content and launching it through a known application such as VLC Media Player via sideloading, the attackers hope to evade these defence mechanisms.”

The team first observed it being used last year, when it was deployed exclusively by financially motivated Chinese actors against targets in East Asia, mostly China and Hong Kong. However, this campaign of cyber criminal activity tapered off and came to a halt in July 2022.

Then, towards the end of the year, WithSecure picked up on a number of human-operated cyber intrusions across various organisations.

The first observed intrusion took place in France, with the targeting of a social welfare organisation in which the threat actor gained initial access via a vulnerability in a Fortinet SSL VPN and used this access to launch Cobalt Strike beacons. This unfolded over a lengthy period.

On detection by WithSecure’s Elements technology, the threat actor pivoted and tried to launch another Cobalt Strike beacon using Silkloader. This attack was successfully contained – as were others – but was almost certainly the beginning stages of a ransomware attack.

Further analysis of the threat actor’s tactics, techniques and procedures (TTPs), notably the use of Fortinet vulnerabilities to gain initial access, led WithSecure’s team to the assessment that the attacks were likely linked to operators of the Play ransomware.

Named for the .play extension it appends to encrypted files, Play emerged in 2022, and is likely closely related to the defunct Hive operation, which was successfully disrupted by the FBI in January 2023. It was behind the recent ransomware attack on Glasgow-based car dealer Arnold Clark, as well as the infamous December 2022 incident at Rackspace, which disrupted hosted services for thousands.

Although the adoption of Silkloader by a Russian-speaking ransomware cartel may seem an interesting cyber curiosity, it also serves as a valuable insight into cyber criminal tradecraft, revealing how tools are acquired or shared between groups, and firming up the links between them.

In this instance, said Hassan Nejad, it’s likely its Chinese operator, who may even have been an independent coder, sold it to a Russian actor. He suggested this was very likely someone closely linked to the also-defunct Conti operation – Hive in particular was used with great gusto by an actor known variously as UNC2727, Gold Ulrick or Wizard Spider, which is the former Conti operation that hit Ireland’s Health Service Executive (HSE) in 2021.

“We believe Silkloader is currently distributed within the Russian cyber crime ecosystem as an off-the-shelf loader through a packer-as-a-service program to ransomware groups, or possibly via groups offering Cobalt Strike/infrastructure as a service to trusted affiliates,” said Hassan Nejad.