Reflective Loader

Malware Profile Updated 4 days ago
Download STIX
Preview STIX
A reflective loader is a type of malware that can load a Dynamic Link Library (DLL) into a process, often without the user's knowledge. This technique allows the malware to execute malicious code directly from memory, making it harder for antivirus software to detect and remove it. The loader operates by prepending itself to a DLL, then loading the DLL into virtual memory. This method has been used in various forms of malware, including Cobalt Strike, where it loads the beacon DLL into virtual memory. The reflective loader enables the execution of the Core-Implant in an updated variant, employing new obfuscation techniques such as different file names and registry keys. The reflective loader has evolved over time, with the ability to resolve and pass system call information to Beacon, overriding Beacon’s default system call resolver. This evolution also includes the ability to export the Beacon payload without a reflective loader, which supports prepend-style User Defined Reflective Loaders (UDRLs), allowing for more versatile deployment and execution of the Beacon payload in various environments. Other advancements include support for callbacks in a number of built-in functions, a new in-Beacon data store, and more. The reflective loader has also been utilized in executing LunarWeb and LunarMail, and when the badger is injected, its reflective loader instantly loads all dependencies required for the badger. However, the use of reflective loaders is not without its challenges. For instance, during lateral movement phases, attackers have been found to drop custom loaders in unique locations on each system. Most Beacon and Reflective Loader instances discovered during investigations were configured with unique identifiers such as C2 domain name, Watermark ID, PE compile timestamp, DNS Idle IP, User-Agent, and HTTP POST/GET transaction URI. At the conclusion of the de-obfuscation process, both variants proceed to load the Reflective Loader in memory, which subsequently executes Cobalt Strike Beacon in memory. Type A loaders use a simple rolling XOR methodology to decode the Reflective Loader, while Type B loaders (Raindrop) utilize a combination of AES-256 encryption algorithm, LZMA compression, and a single-byte XOR decoding routine to de-obfuscate the embedded Reflective Loader in memory. The ultimate goal of both Type A and B loaders is to de-obfuscate and load a Cobalt Strike Reflective Loader in memory.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Cobalt Strike Reflective Loader
2
The Cobalt Strike Reflective Loader is a type of malware that loads the Beacon DLL into virtual memory, a process which can be visualized through a specific diagram. This malicious software, designed to exploit and damage computer systems, infiltrates your device without your knowledge via suspiciou
Raindrop
1
Raindrop is a type of malware discovered during the Solorigate investigation, along with other malicious software such as TEARDROP, SUNBURST, and various custom loaders for the Cobalt Strike beacon. These malware types, including Raindrop, are likely generated using custom Artifact Kit templates. Ra
Cobalt Strike
1
Cobalt Strike is a powerful malware tool that has been used extensively by cybercriminals and threat actors worldwide. It operates through a built-in reflective loader that leverages the kernel32.LoadLibraryA API for DLL loading, which allows the beacon DLL to be loaded into virtual memory. This pro
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Payload
Beacon
Loader
Exploit
Implant
Firefox
PowerShell
Windows
Microsoft
Encryption
Lateral Move...
Symantec
Backdoor
Dropper
Cobalt Strike
Malware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
MeterpreterUnspecified
1
Meterpreter, a type of malware, is an attack payload of Metasploit that serves as an interactive shell, enabling threat actors to control and execute code on a system. Advanced Persistent Threat (APT) actors have created and used a variant of Metasploit (Meterpreter) on the ServiceDesk system, liste
Cobalt Strike BeaconUnspecified
1
Cobalt Strike Beacon is a type of malware known for its harmful capabilities, including stealing personal information, disrupting operations, and potentially holding data hostage for ransom. The malware has been loaded by HUI Loader through various files such as mpc.tmp, dlp.ini, vmtools.ini, and an
trojan:win64/solorigate.sb!dhaUnspecified
1
None
JlaiveUnspecified
1
Jlaive is a malware that began circulating in 2022, primarily known for its obfuscation algorithm powered by the BatCloak engine. The malware was designed to evade antivirus software by converting executables into undetectable batch files. The creator, identified as ch2sh, made significant contribut
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
LunarwebUnspecified
1
LunarWeb is a threat actor discovered by ESET Research, responsible for the compromise of a European Ministry of Foreign Affairs (MFA) and its diplomatic missions abroad. LunarWeb, along with another backdoor named LunarMail, were deployed on servers and workstations respectively, using sophisticate
LunarmailUnspecified
1
LunarMail, identified as a threat actor by ESET Research, has been implicated in the compromise of a European Ministry of Foreign Affairs (MFA) and its diplomatic missions. This cyber threat employs two previously unknown backdoors, LunarWeb and LunarMail, to infiltrate and exploit systems. LunarWeb
LeafminerUnspecified
1
Leafminer is a highly active threat actor group, primarily targeting organizations in the Middle East. The group employs various intrusion methods such as watering hole websites, vulnerability scans of network services on the internet, and brute-force/dictionary login attempts. Leafminer's arsenal i
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Reflective Loader Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
DARKReading
4 days ago
Chinese Hacker Gang GhostEmperor Re-Emerges After Two Years
ESET
2 months ago
To the Moon and back(doors): Lunar landing in diplomatic missions
MITRE
7 months ago
PART 3: How I Met Your Beacon - Brute Ratel - MDSec
CERT-EU
9 months ago
Unmasking Cracked Cobalt Strike 4.9: The Cybercriminal’s Tool of Choice
MITRE
a year ago
Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop - Microsoft Security Blog
Securityaffairs
a year ago
FUD Malware obfuscation engine BatCloak continues to evolve
SecurityIntelligence.com
a year ago
Defining the Cobalt Strike Reflective Loader
MITRE
a year ago
Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers - Microsoft Security Blog
MITRE
a year ago
A dive into Turla PowerShell usage | WeLiveSecurity
Krypos Logic
a year ago
Deep Dive into Trickbot's Web Injection
CERT-EU
a year ago
Space Pirates: analyzing the tools and connections of a new hacker group
MITRE
a year ago
Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions
Unit42
a year ago
CryptoClippy Speaks Portuguese
MITRE
a year ago
The CostaRicto Campaign: Cyber-Espionage Outsourced