Cybersecurity researchers have thoroughly reported a “simple but efficient” persistence method used by a relatively new malware loader called “Colibri.” Colibri has been put to use as a windows information stealer known as Vidar in an attack campaign.
“The attack starts with a malicious Word document deploying a Colibri bot that then delivers the Vidar Stealer,” Malwarebytes Labs said in an analysis. “The document contacts a remote server at (securetunnel[.]co) to load a remote template named ‘trkal0.dot’ that contacts a malicious macro,” the researchers added.
FR3D.HK and CloudSEK, an Indian cybersecurity company, recorded Colibri as a malware-as-a-service (MaaS) platform designed to plant additional payloads into affected systems. The first trails of the loader appeared on Russian underground forums in August 2021.
“This loader has multiple techniques that help avoid detection,” CloudSEK researcher Marah Aboud noted last month. “This includes omitting the IAT (Import Address Table) along with the encrypted strings to make the analysis more difficult.”
Malwarebytes reports the attack relies on remote template injection to download the Colibri loader (“setup.exe”) using the infected document.
After the download, the loader uses a previously known persistence method to survive machine reboots, but it drops a copy of itself to the location.
It creates a scheduled task on systems having Windows 10 and above, with the loader executing a command to start PowerShell with a hidden window (i.e.,-WindowStyle Hidden) to hide the malicious activity.
“It so happens that Get-Variable is a valid PowerShell cmdlet (a cmdlet is a lightweight command used in the Windows PowerShell environment) which is used to retrieve the value of a variable in the current console,” the researchers explained.
But as PowerShell is executed by default in the WindowsApps path, the command given during the scheduled task creation leads to carrying out of the malicious binary instead of the legitimate binary.
This effectively means that “an adversary can easily achieve persistence [by] combining a scheduled task and any payload (as long as it is called Get-Variable.exe and placed in the proper location),” the researcher said.
Last month, Cybersecurity company Trustwave detailed an email-based phishing operation that uses Microsoft Compiled HTML Help (CHM) files to spread the Vidar malware to avoid detection.