Colibri, a malware loader first discovered in August of 2021, has been discovered using a simple but efficient persistence mechanism on infected systems. Colibri has been seen deploying Vidar, a Windows-based information stealer, as part of its latest campaign.
A Colibri infection starts with a malicious Word document that contains a callout to a remote server to download a template and execute a malicious macro via remote template injection. This macro downloads the Colibri loader and executes it on the system, which in turn, leads to downloading and executing the Vidar stealer from the Colibri Command-and-Control server (C2). The persistence mechanism used by Colibri is via a scheduled task. Colibri copies itself into the user’s AppData folder, specifically under “\Local\Microsoft\WindowsApps” and names itself “Get-Variable.exe.” The scheduled task that is created is configured to execute “powershell.exe -windowstyle hidden” when launched. Get-Variable is a valid PowerShell cmdlet that is used to retrieve the value of a variable in the current console, while the WindowsApps directory is the default path in which PowerShell is executed. When the scheduled task is launched and the PowerShell command is executed, the system first looks for the Get-Variable executable in the local path, which in turn executes the Colibri binary instead of looking for the legitimate Get-Variable cmdlet.
Colibri has been advertised for sale on Russian-based underground hacking forums since its initial discovery in August of 2021, which coincides with when the first files related to the malware were uploaded to VirusTotal. Due to this, it is likely that the malicious actors behind Colibri were the first to utilize this specific persistence mechanism.