Researchers Discover How the Colibri Malware Remains Active in Vulnerable Computer Environments

It has been discovered that an emerging malware loader known as Colibri is using an "efficient but simple" persistence mechanism to deploy the Windows information stealer Vidar as part of a new campaign.

In a report, Malwarebytes Labs said the attack begins with a malicious Word document that installs the Colibri bot, which in turn drops the Vidar Stealer. In addition, "the document contacts a remote server at (securetunnel[.]co) to load a remote template named 'trkal0.dot,'" the researchers added.

According to CloudSEK and FR3D.HK, Colibri is a platform that is designed to drop additional malware onto systems that have already been compromised. On Russian underground forums in August 2021, there were first signs of the loader.

In a report published last month, CloudSEK researcher Marah Aboud noted that the loader "has multiple techniques that help avoid detection. In order to make analysis more difficult, the IAT (Import Address Table) is omitted from the encrypted strings."

Remote template injection is used to download the Colibri loader (setup.exe) from an armed Microsoft Word document in the campaign attack chain observed by Malwarebytes.

As an added precaution, the loader copies "Get-Variable.exe" to "percent APPDATA percent LocalMicrosoftWindowsApps" before using an as-yet undocumented persistence method to survive machine reboots

As a result, the loader creates a scheduled task to launch PowerShell with a hidden window (i.e., -WindowStyle Hidden) to hide the malicious activity from detection on systems running Windows 10 and above.

A PowerShell cmdlet, Get-Variable, "happens to be a valid PowerShell cmdlet (cmdlet is a lightweight command used in the Windows PowerShell environment)," the researchers explained.

A scheduled task's command results in a malicious binary being executed instead of its legitimate counterpart because PowerShell is automatically launched when Windows Apps is launched.

"An adversary can easily achieve persistence by combining (as long as it is called Get-Variable.exe and placed in the proper location) a scheduled task with any payload," the researchers said.

According to the latest findings, the Vidar malware was distributed using Microsoft Compiled HTML Help (CHM) files in an email-based phishing campaign last month, which was described by cybersecurity company Trustwave.