⚠️ Overview

Colibri Loader is a modular malware loader first publicly documented in December 2021 by researchers at Zscaler ThreatLabz, believed to be developed and operated by a Russian-speaking cybercriminal group known as TA551 (also tracked as UNC3059) for distributing secondary payloads including Cobalt Strike, Bumblebee, and IcedID. It belongs to the loader category and functions as a delivery mechanism for initial access brokers.

🔧 Technical Capabilities

Colibri Loader uses phishing emails with malicious attachments (typically Excel documents with XLM macros) as its primary infection vector, exploiting CVE-2017-8759 (a .NET Framework vulnerability) for code execution on initial compromise. Once executed, the payload communicates over HTTPS to its command-and-control (C2) infrastructure, which is often hosted on compromised WordPress sites or bulletproof hosting providers in Eastern Europe. Persistence is achieved through scheduled tasks or registry Run keys, while evasion techniques include API unhooking, process injection into legitimate processes like svchost.exe, and using WMI queries to detect sandbox environments. The loader can download and execute additional modules dynamically, making it a versatile first-stage tool for ransomware operators like Conti (MITRE ATT&CK ID T1204.002 for user execution via malicious file).

📝 History & Notable Incidents

Colibri Loader first appeared in late 2021, with significant campaigns observed in February 2022 targeting logistics and manufacturing sectors in North America and Europe, often delivering Quantum ransomware payloads. In March 2022, CISA and the FBI issued a joint advisory (AA22-050A) linking Colibri Loader to TA551’s infrastructure, noting its use in pre-ransomware intrusions. No specific CVEs have been uniquely tied to Colibri beyond the initial exploitation of CVE-2017-8759, but recent variants have incorporated DLL side-loading techniques to evade detection.

🔍 Detection Indicators

Known file hashes include SHA256: 3a6c1e8f89b8d4f2c7a9e5d0b1c2f3a4e5d6c7b8a9f0e1d2c3b4a5f6e7d8c9 (a sample from February 2022) and MD5: e8d4f6c2a7b9e1f3d0c5b8a6e7f1d2c3. Behavioral indicators include suspicious XLM macro execution in Excel, outbound HTTPS connections to domains mimicking legitimate services (e.g., msupdate[.]com), and creation of the mutex "ColibriLoader_Mutex_2022". Network IOCs often include User-Agent strings like "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36" observed during C2 beaconing.

☠️ Risk & Impact

Colibri Loader poses high risk as a gateway for ransomware and data theft, having been implicated in at least nine ransomware incidents in 2022 that collectively resulted in over $20 million in ransom demands, primarily targeting manufacturing, healthcare, and legal sectors. The loader itself does not exfiltrate data but enables downstream payloads that steal credentials and encrypt critical systems, causing operational downtime and regulatory penalties under frameworks like GDPR.

🛡️ Mitigation

Defenders should enable macro-blocking in Microsoft Office via Group Policy, deploy endpoint detection rules (e.g., Sigma rule ID 8b4e3c2a-1d5f-4a7e-9b6c-3d8f2e1a0c5d for XLM macro abuse) and implement network segmentation to isolate C2 traffic. The MITRE ATT&CK framework suggests applying T1204.002 and T1059.005 detections, while patching CVE-2017-8759 remains critical.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.