SILKLOADER : Journey of a Cobalt Strike beacon loader along the silk road

by Mohammad Kazem Hassan Nejad, Bert Steppé and Neeraj Singh

WithSecure Intelligence

15 March 2023

Mohammad Kazem Hassan Nejad
Bert Steppé
Neeraj Singh

Commercial and open-source command-and-control (C2) frameworks have become a staple in most adversary toolkits, with Cobalt Strike (CS) being one of the most popular. Such frameworks are often leveraged by threat actors to stage and conduct post-exploitation attacks in compromised client estates.

The prevalence of Cobalt Strike usage in attacks has precipitated a drive towards the creation of improved detection capabilities against it. Conversely, adversaries have responded to this by implementing their own detection evasion strategies. The most common of these include adding complexity to the auto-generated beacon or stager payloads via the utilization of packers, crypters, loaders, or similar techniques. While some threat actors rely on commercial crypters, others opt to develop their own custom crypters or take existing custom crypters into use.

During our investigations through several human-operated intrusions that resembled precursors to ransomware deployments, we came across an interesting Cobalt Strike beacon loader that leveraged DLL side-loading, which we’re tracking as SILKLOADER. By taking a closer look at the loader, we found several activity clusters leveraging this loader within the Russian as well as Chinese cybercriminal ecosystems. 

In this report we share technical analysis of SILKLOADER and highlight notable activity clusters where it was seen in our investigations.