In-depth Technical Analysis of Colibri Loader Malware

In-depth Technical Analysis of Colibri Loader Malware

March 10, 2022
Green Alert
Last Update posted on
February 3, 2024
Beyond Monitoring: Predictive Digital Risk Protection with CloudSEK

Protect your organization from external threats like data leaks, brand threats, dark web originated threats and more. Schedule a demo today!

Schedule a Demo
Table of Contents
Author(s)
No items found.

On 27 August 2021, cybersecurity researchers discovered a malware loader dubbed Colibri being sold on an underground Russian forum. The actors claim that the loader is stealthy and can be used to target Windows systems, to drop other malware onto the infected system. 

Features of the Colibri loader malware

The features of the loader, as listed in the advertisement, include the following:

  • The loader is written in C/ ASM.
  • It works on Windows operating systems including Windows servers.
  • The loader does not have dependencies, indicating that the loader works without relying on other entities from the system.
  • The loader does not have an IAT (Import Address Table) that contains used WinAPI functions.
  • Colibri loader has only two sections in the PE structure namely the “.text” (code section) and the “.reloc” (relocation section).
  • All the strings in the loader as well as the connection channel between the C2 server and the loader are encrypted.
Threat actor’s post on the cybercrime forum about the Colibri Malware Loader
Threat actor’s post on the cybercrime forum about the Colibri Malware Loader

Threat actor’s post on the cybercrime forum

Technical Analysis of Colibri

Unpacking the loader

Colibri loader comes packed in a trojanized executable file. By using x64dbg (debugger) and putting breakpoints on the function VirtualAlloc we were able to extract the actual payload of the Colibri loader.

Packed sample74c4f24e9c025d55c4dd8aca8b91fce3
Colibri unpacked sample58FEE16BBEA42A378F4D87D0E8A6F9C8

The self-modifying code in the malware

By testing the extracted payload with PEStudio it is evident that the payload has only two sections, .text (Code Section) and .reloc (Relocation Section). The results of scanning the payload also show the existence of a self-modifying section in the code. This implies that the payload is capable of dynamically resolving other parts of the code that are not accessible through static analysis of the payload.

By running the payload in an IDA debugger we will be able to resolve the self-modifying code section of the payload.

Two sections that exist in the payload, besides the self-modifying property
Two sections that exist in the payload, besides the self-modifying property

The self-modifying code

Dynamically resolved code section
Dynamically resolved code section

IAT dynamic resolving

To avoid detection by AVs statically, the payload’s author hashes all WinAPI functions, ignoring the Import Address Table (IAT), which aids in recognising the malware’s activity statically. The payload resolves the function names dynamically using XOR and Shift operations. After resolving the function name, the address of the function is stored in eax register and a call function is created.

Dehashing the function name

Dehashing the function names

Kill itself if there is already a running instance process of it

Before running on the system, the payload creates a mutex by calling the function CreateMutexW and then tests if there is an instance of the payload already running on the infected system. If there is an existing running process of payload on the system, the payload calls the ExitProcess function and exits the execution. If there is no instance of the payload running on the system, the payload continues the execution and calls the Sleep function to sleep for 3 seconds as a simple way to evade protection.

Check the existence of the payload on the system
Check the existence of the payload on the system

The connection with the C2 server

To make the static analysis more difficult and to evade detection, the author of this malware has encrypted all the strings. After resolving the function names dynamically and using the debugger, the strings extracted from the payload will have the following artifacts:

  • IP address of the C2 server 80.92.205.102
  • URL with another payload to be downloaded /gate.php

The payload first initializes the use of WinInet functions by calling InternetOpenW, followed by which it opens the HTTP section with the function InternetConnectW. The payload creates an HTTP request by calling the function HttpOpenRequestW under the following parameters:

  • The type of request:  /GET
  • Name of the target object:  /gate.php?type=check&uid=59045F4FF04F133112200
  • HTTP version to be used in the request: HTTP/1.1

After this, the payload sends the GET request to the server by calling the function HttpSendRequestW. Then, the payload calls the function InternetQueryDataAvailable to determine the amount of requested data. Based on the results of the previous function calls, the payload reads the data by calling the function InternetReadFile. Our assumption is that the payload requests the C2 server and downloads another payload on the system.

The payload calls the function CryptStringToBinary, to decrypt data after downloading the data from the C2 server, which indicates that the data could be encrypted.

GET request to the C2 server
GET request to the C2 server

Indicators of Compromise – Colibri Loader Malware

MD574c4f24e9c025d55c4dd8aca8b91fce3 
58FEE16BBEA42A378F4D87D0E8A6F9C8
IP80.92.205.102
URL80.92.205.102/gate.php?type=check&uid=59045F4FF04F133112200

Conclusion

Colibri loader is a type of malware that is used to load more types of malware into the infected system. This loader has multiple techniques that help avoid detection. This includes, omitting the IAT (Import Address Table) along with the encrypted strings to make the analysis more difficult. Like any other loader malware, the Colibri can be used to install information-stealing malware which may result in substantial loss of sensitive information. Thus, users should be wary of any unknown files on their systems.

Author

Predict Cyber threats against your organization

Related Posts
Blog Image
February 3, 2024

From Discussion Forums to Malware Mayhem: The Alarming Rise of Abuse on Google Groups and Usenet

Explore the escalating wave of cyber threats on platforms like Google Groups and Usenet, uncovering the pivotal role of cybersecurity in safeguarding online discussion forums.

Redirect Chain: Advertisement Services being Abused by Threat Actors to Redirect Users to Malware, Betting, Adult Websites

Threat actors have been abusing advertisement services to serve malware to users and redirect traffic to websites purchasing services from them.

Blog Image
December 29, 2023

Compromising Google Accounts: Malwares Exploiting Undocumented OAuth2 Functionality for session hijacking

A detailed blog on Analysis of the Global Malware Trend: Exploiting Undocumented OAuth2 Functionality to Regenerate Google Service Cookies Regardless of IP or Password Reset.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

Malware Intelligence

min read

In-depth Technical Analysis of Colibri Loader Malware

In-depth Technical Analysis of Colibri Loader Malware

Authors
Co-Authors
No items found.

On 27 August 2021, cybersecurity researchers discovered a malware loader dubbed Colibri being sold on an underground Russian forum. The actors claim that the loader is stealthy and can be used to target Windows systems, to drop other malware onto the infected system. 

Features of the Colibri loader malware

The features of the loader, as listed in the advertisement, include the following:

  • The loader is written in C/ ASM.
  • It works on Windows operating systems including Windows servers.
  • The loader does not have dependencies, indicating that the loader works without relying on other entities from the system.
  • The loader does not have an IAT (Import Address Table) that contains used WinAPI functions.
  • Colibri loader has only two sections in the PE structure namely the “.text” (code section) and the “.reloc” (relocation section).
  • All the strings in the loader as well as the connection channel between the C2 server and the loader are encrypted.
Threat actor’s post on the cybercrime forum about the Colibri Malware Loader
Threat actor’s post on the cybercrime forum about the Colibri Malware Loader

Threat actor’s post on the cybercrime forum

Technical Analysis of Colibri

Unpacking the loader

Colibri loader comes packed in a trojanized executable file. By using x64dbg (debugger) and putting breakpoints on the function VirtualAlloc we were able to extract the actual payload of the Colibri loader.

Packed sample74c4f24e9c025d55c4dd8aca8b91fce3
Colibri unpacked sample58FEE16BBEA42A378F4D87D0E8A6F9C8

The self-modifying code in the malware

By testing the extracted payload with PEStudio it is evident that the payload has only two sections, .text (Code Section) and .reloc (Relocation Section). The results of scanning the payload also show the existence of a self-modifying section in the code. This implies that the payload is capable of dynamically resolving other parts of the code that are not accessible through static analysis of the payload.

By running the payload in an IDA debugger we will be able to resolve the self-modifying code section of the payload.

Two sections that exist in the payload, besides the self-modifying property
Two sections that exist in the payload, besides the self-modifying property

The self-modifying code

Dynamically resolved code section
Dynamically resolved code section

IAT dynamic resolving

To avoid detection by AVs statically, the payload’s author hashes all WinAPI functions, ignoring the Import Address Table (IAT), which aids in recognising the malware’s activity statically. The payload resolves the function names dynamically using XOR and Shift operations. After resolving the function name, the address of the function is stored in eax register and a call function is created.

Dehashing the function name

Dehashing the function names

Kill itself if there is already a running instance process of it

Before running on the system, the payload creates a mutex by calling the function CreateMutexW and then tests if there is an instance of the payload already running on the infected system. If there is an existing running process of payload on the system, the payload calls the ExitProcess function and exits the execution. If there is no instance of the payload running on the system, the payload continues the execution and calls the Sleep function to sleep for 3 seconds as a simple way to evade protection.

Check the existence of the payload on the system
Check the existence of the payload on the system

The connection with the C2 server

To make the static analysis more difficult and to evade detection, the author of this malware has encrypted all the strings. After resolving the function names dynamically and using the debugger, the strings extracted from the payload will have the following artifacts:

  • IP address of the C2 server 80.92.205.102
  • URL with another payload to be downloaded /gate.php

The payload first initializes the use of WinInet functions by calling InternetOpenW, followed by which it opens the HTTP section with the function InternetConnectW. The payload creates an HTTP request by calling the function HttpOpenRequestW under the following parameters:

  • The type of request:  /GET
  • Name of the target object:  /gate.php?type=check&uid=59045F4FF04F133112200
  • HTTP version to be used in the request: HTTP/1.1

After this, the payload sends the GET request to the server by calling the function HttpSendRequestW. Then, the payload calls the function InternetQueryDataAvailable to determine the amount of requested data. Based on the results of the previous function calls, the payload reads the data by calling the function InternetReadFile. Our assumption is that the payload requests the C2 server and downloads another payload on the system.

The payload calls the function CryptStringToBinary, to decrypt data after downloading the data from the C2 server, which indicates that the data could be encrypted.

GET request to the C2 server
GET request to the C2 server

Indicators of Compromise – Colibri Loader Malware

MD574c4f24e9c025d55c4dd8aca8b91fce3 
58FEE16BBEA42A378F4D87D0E8A6F9C8
IP80.92.205.102
URL80.92.205.102/gate.php?type=check&uid=59045F4FF04F133112200

Conclusion

Colibri loader is a type of malware that is used to load more types of malware into the infected system. This loader has multiple techniques that help avoid detection. This includes, omitting the IAT (Import Address Table) along with the encrypted strings to make the analysis more difficult. Like any other loader malware, the Colibri can be used to install information-stealing malware which may result in substantial loss of sensitive information. Thus, users should be wary of any unknown files on their systems.