Researchers Uncover How Colibri Malware Stays Persistent on Hacked Systems

2022-04-07 03:34

Cybersecurity researchers have detailed a "Simple but efficient" persistence mechanism adopted by a relatively nascent malware loader called Colibri, which has been observed deploying a Windows information stealer known as Vidar as part of a new campaign.

"The attack starts with a malicious Word document deploying a Colibri bot that then delivers the Vidar Stealer," Malwarebytes Labs said in an analysis.

"The document contacts a remote server at to load a remote template named 'trkal0.dot' that contacts a malicious macro," the researchers added.

First documented by FR3D.HK and Indian cybersecurity company CloudSEK earlier this year, Colibri is a malware-as-a-service platform that's engineered to drop additional payloads onto compromised systems.

Early signs of the loader appeared on Russian underground forums in August 2021.

The campaign attack chain observed by Malwarebytes takes advantage of a technique called remote template injection to download the Colibri loader by means of a weaponized document.

News URL

https://thehackernews.com/2022/04/researchers-uncover-how-colibri-malware.html

#hacked #malware #researcher