Colibri malware loader’s persistence examined

MalwareBytes researchers discovered that the Colibri malware loader leveraged to distribute the Vidar information stealer has been using a "simple but efficient approach" to establish persistence, according to The Hacker News. "The attack starts with a malicious Word document deploying a Colibri bot that then delivers the Vidar Stealer. The document contacts a remote server at (securetunnel[.]co) to load a remote template named 'trkal0.dot' that contacts a malicious macro," said researchers. First identified last year, Colibri has been reported by CloudSEK researcher Marah Aboud to have been eliminating the Import Address Table and encrypted strings to evade detection. Attackers in the new campaign have been found to exploit remote template injection to facilitate Colibri loader downloads as a malicious Word document. Colibri will deploy a copy to the "%APPDATA%LocalMicrosoftWindowsApps" location with the "Get-Variable.exe" filename before leveraging a novel persistence approach that could overcome reboots. "It so happens that Get-Variable is a valid PowerShell cmdlet (a cmdlet is a lightweight command used in the Windows PowerShell environment) which is used to retrieve the value of a variable in the current console," researchers added.