Reflective Loader

Malware updated 2 months ago (2024-07-19T17:17:42.870Z)

Download STIX

Preview STIX

A reflective loader is a type of malware that can load a Dynamic Link Library (DLL) into a process, often without the user's knowledge. This technique allows the malware to execute malicious code directly from memory, making it harder for antivirus software to detect and remove it. The loader operates by prepending itself to a DLL, then loading the DLL into virtual memory. This method has been used in various forms of malware, including Cobalt Strike, where it loads the beacon DLL into virtual memory. The reflective loader enables the execution of the Core-Implant in an updated variant, employing new obfuscation techniques such as different file names and registry keys. The reflective loader has evolved over time, with the ability to resolve and pass system call information to Beacon, overriding Beacon’s default system call resolver. This evolution also includes the ability to export the Beacon payload without a reflective loader, which supports prepend-style User Defined Reflective Loaders (UDRLs), allowing for more versatile deployment and execution of the Beacon payload in various environments. Other advancements include support for callbacks in a number of built-in functions, a new in-Beacon data store, and more. The reflective loader has also been utilized in executing LunarWeb and LunarMail, and when the badger is injected, its reflective loader instantly loads all dependencies required for the badger. However, the use of reflective loaders is not without its challenges. For instance, during lateral movement phases, attackers have been found to drop custom loaders in unique locations on each system. Most Beacon and Reflective Loader instances discovered during investigations were configured with unique identifiers such as C2 domain name, Watermark ID, PE compile timestamp, DNS Idle IP, User-Agent, and HTTP POST/GET transaction URI. At the conclusion of the de-obfuscation process, both variants proceed to load the Reflective Loader in memory, which subsequently executes Cobalt Strike Beacon in memory. Type A loaders use a simple rolling XOR methodology to decode the Reflective Loader, while Type B loaders (Raindrop) utilize a combination of AES-256 encryption algorithm, LZMA compression, and a single-byte XOR decoding routine to de-obfuscate the embedded Reflective Loader in memory. The ultimate goal of both Type A and B loaders is to de-obfuscate and load a Cobalt Strike Reflective Loader in memory.

Description last updated: 2024-07-19T17:15:37.559Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Cobalt Strike Reflective Loader	2	The Cobalt Strike Reflective Loader is a type of malware that loads the Beacon DLL into virtual memory, a process which can be visualized through a specific diagram. This malicious software, designed to exploit and damage computer systems, infiltrates your device without your knowledge via suspiciou

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Payload

Beacon

Loader

Exploit

Implant

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Reflective Loader Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	2 months ago	Chinese Hacker Gang GhostEmperor Re-Emerges After Two Years
ESET	4 months ago	To the Moon and back(doors): Lunar landing in diplomatic missions
MITRE	9 months ago	PART 3: How I Met Your Beacon - Brute Ratel - MDSec
CERT-EU	a year ago	Unmasking Cracked Cobalt Strike 4.9: The Cybercriminal’s Tool of Choice
MITRE	2 years ago	Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop - Microsoft Security Blog
Securityaffairs	a year ago	FUD Malware obfuscation engine BatCloak continues to evolve
SecurityIntelligence.com	a year ago	Defining the Cobalt Strike Reflective Loader
MITRE	2 years ago	Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers - Microsoft Security Blog
MITRE	2 years ago	A dive into Turla PowerShell usage \| WeLiveSecurity
Krypos Logic	2 years ago	Deep Dive into Trickbot's Web Injection
CERT-EU	a year ago	Space Pirates: analyzing the tools and connections of a new hacker group
MITRE	2 years ago	Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions
Unit42	a year ago	CryptoClippy Speaks Portuguese
MITRE	2 years ago	The CostaRicto Campaign: Cyber-Espionage Outsourced