Colibri Loader employs clever persistence mechanism

Recently discovered malware loader Colibri leverages a trivial and efficient persistence mechanism to deploy Windows Vidar data stealer.

Malwarebytes researchers observed a new loader, dubbed Colibri, which has been used to deploy a Windows information stealer tracked as Vidar in a recent campaign.

The Colibri Loader first appeared in the threat landscape in August 2021 when it was advertised in the underground forums. The campaign was first spotted by researchers from cybersecurity company CloudSEK earlier this year, but Malwarebytes focused on the persistence mechanism used by Colibri.

The attack chain starts with a weaponized Word document that was used to deliver the Colibri loader that in turn delivers the Vidar infostealer.

“Our Threat Intelligence Team recently uncovered a new Colibri Loader campaign delivering the Vidar Stealer as final payload.” reads the analysis published by the researchers. “The document contacts a remote server at (securetunnel[.]co) to load a remote template named ‘trkal0.dot’ that contacts a malicious macro,”

The attackers used the remote template injection technique to download the Colibri loader (“setup.exe”), the Word document was used to contact a remote server at (securetunnel[.]co) to load a remote template named trkal0.dot containing a malicious macro.

The loader drops its own copy to the location “%APPDATA%\Local\Microsoft\WindowsApps” and names it “Get-Variable.exe” for Windows 10 and above, while for lower versions it drops it in %DOCUMENTS%/WindowsPowerShell named as dllhost.exe.

Colibri employed a simple as effective persistence mechanism based on PowerShell.

“On Windows 7, it creates a scheduled task using the following command:

• schtasks.exe /create /tn COMSurrogate /st 00:00 /du 9999:59 /sc once /ri 1 /f /tr “C:\Users\admin\Documents\WindowsPowerShell\dllhost.exe“

On Windows 10 and above, it creates a scheduled task using the following command:

• schtasks.exe /create /tn COMSurrogate /st 00:00 /du 9999:59 /sc once /ri 1 /f /tr “powershell.exe -windowstyle hidden“

In the first scenario (Win7), we see a task pointing to the path of Colibri Loader.” continues the analysis. “However, in the second we see an odd task to execute PowerShell with a hidden window. This is what we believe is a new persistence technique employed by the malware author.”

It achieves this by creating a scheduled task on systems running Windows 10 and above, with the loader executing a command to launch PowerShell with a hidden window (i.e., -WindowStyle Hidden) to conceal the malicious activity from being detected.

The Get-Variable is a valid PowerShell cmdlet (a cmdlet is a lightweight command used in the Windows PowerShell environment) that attackers use to retrieve the value of a variable in the current console.

Experts pointed out that WindowsApps is by default in the path where PowerShell is executed. When the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the legitimate counterpart.

Threat actors can achieve persistence by using a scheduled task and a binary named Get-Variable.exe which is located in a specific folder.

Malwarebytes experts reproduced the persistence mechanism using the calculator:

“Colibri is still in its infancy but it already offers many features for attackers and slowly seems to be gaining popularity. The persistence technique we outlined in this blog is simple but efficient and does not appear to be known.” concludes the report.

Please vote Security Affairs as best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]