Reflective Loader

Malware updated a year ago (2024-11-29T13:45:47.234Z)

Download STIX

Preview STIX

A reflective loader is a type of malware that can load a Dynamic Link Library (DLL) into a process, often without the user's knowledge. This technique allows the malware to execute malicious code directly from memory, making it harder for antivirus software to detect and remove it. The loader operates by prepending itself to a DLL, then loading the DLL into virtual memory. This method has been used in various forms of malware, including Cobalt Strike, where it loads the beacon DLL into virtual memory. The reflective loader enables the execution of the Core-Implant in an updated variant, employing new obfuscation techniques such as different file names and registry keys. The reflective loader has evolved over time, with the ability to resolve and pass system call information to Beacon, overriding Beacon’s default system call resolver. This evolution also includes the ability to export the Beacon payload without a reflective loader, which supports prepend-style User Defined Reflective Loaders (UDRLs), allowing for more versatile deployment and execution of the Beacon payload in various environments. Other advancements include support for callbacks in a number of built-in functions, a new in-Beacon data store, and more. The reflective loader has also been utilized in executing LunarWeb and LunarMail, and when the badger is injected, its reflective loader instantly loads all dependencies required for the badger. However, the use of reflective loaders is not without its challenges. For instance, during lateral movement phases, attackers have been found to drop custom loaders in unique locations on each system. Most Beacon and Reflective Loader instances discovered during investigations were configured with unique identifiers such as C2 domain name, Watermark ID, PE compile timestamp, DNS Idle IP, User-Agent, and HTTP POST/GET transaction URI. At the conclusion of the de-obfuscation process, both variants proceed to load the Reflective Loader in memory, which subsequently executes Cobalt Strike Beacon in memory. Type A loaders use a simple rolling XOR methodology to decode the Reflective Loader, while Type B loaders (Raindrop) utilize a combination of AES-256 encryption algorithm, LZMA compression, and a single-byte XOR decoding routine to de-obfuscate the embedded Reflective Loader in memory. The ultimate goal of both Type A and B loaders is to de-obfuscate and load a Cobalt Strike Reflective Loader in memory.

Description last updated: 2024-07-19T17:15:37.559Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Cobalt Strike Reflective Loader is a possible alias for Reflective Loader. The Cobalt Strike Reflective Loader is a type of malware that loads the Beacon DLL into virtual memory, a process which can be visualized through a specific diagram. This malicious software, designed to exploit and damage computer systems, infiltrates your device without your knowledge via suspiciou	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Payload

Loader

Beacon

Implant

Dropper

Exploit

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Cobalt Strike Beacon Malware is associated with Reflective Loader. Cobalt Strike Beacon is a type of malware, a harmful software designed to exploit and damage computer systems. It is often loaded by HUI Loader through various files such as mpc.tmp, dlp.ini, vmtools.ini, and an encrypted file vm.cfg. The Insikt Group has identified six distinct Cobalt Strike Beacon	Unspecified	2

Source Document References

Information about the Reflective Loader Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	16 days ago	Google, Mandiant expose malware and zero-day behind Oracle EBS extortion
Securelist	3 months ago	Targeted attacks leverage accounts on popular online platforms as C2 servers
ESET	7 months ago	You will always remember this as the day you finally caught FamousSparrow
Unit42	8 months ago	Off the Beaten Path: Recent Unusual Malware
DARKReading	a year ago	Chinese Hacker Gang GhostEmperor Re-Emerges After Two Years
ESET	a year ago	To the Moon and back(doors): Lunar landing in diplomatic missions
MITRE	2 years ago	PART 3: How I Met Your Beacon - Brute Ratel - MDSec
CERT-EU	2 years ago	Unmasking Cracked Cobalt Strike 4.9: The Cybercriminal’s Tool of Choice
MITRE	3 years ago	Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop - Microsoft Security Blog
Securityaffairs	2 years ago	FUD Malware obfuscation engine BatCloak continues to evolve
SecurityIntelligence.com	3 years ago	Defining the Cobalt Strike Reflective Loader
MITRE	3 years ago	Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers - Microsoft Security Blog
MITRE	3 years ago	A dive into Turla PowerShell usage \| WeLiveSecurity
Krypos Logic	3 years ago	Deep Dive into Trickbot's Web Injection
CERT-EU	2 years ago	Space Pirates: analyzing the tools and connections of a new hacker group
MITRE	3 years ago	Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions
Unit42	3 years ago	CryptoClippy Speaks Portuguese
MITRE	3 years ago	The CostaRicto Campaign: Cyber-Espionage Outsourced