Chinese organizations are being targeted by a new evasive malware loader called SquidLoader.
This is according to cybersecurity researchers at AT&T LevelBlue Labs, who said the threat actors have been active since at least April 2024. In recent months, the hackers have sent phishing emails to Chinese organizations carrying fake Microsoft software. Word documents as attachments.
These documents were in fact binaries running SquidLoader, which in turn deployed second-stage shellcode payloads from remote servers. The payloads also include Cobalt Strike beacons.
Avoidance techniques
Cobalt Strike is a commercial penetration testing tool designed to emulate advanced persistent threat actors (APT). Cybersecurity professionals typically use it to assess the security posture of networks, by simulating real-world cyber attacks. It can mimic the tactics, techniques and procedures (TTP) of advanced threat actors, conduct red teaming and include a range of post-exploitation tools.
The tool itself is not malicious, but was hijacked by hackers long ago. Threat actor groups loved its powerful features and effectiveness for running malware campaigns.
Although the second stage charges are nothing special, the initial charger’s evasion mechanisms caught the researchers’ attention:
“These chargers are equipped with heavy evasion and decoy mechanisms that ensure they remain undetected while hampering analysis,” said security researcher Fernando Dominguez. “The shellcode that is delivered is also loaded in the same loading process, likely preventing the payload from being written to disk and risking being detected.”
For example, SquidLoader uses scrambled code segments, worthless and unused code, Control Flow Graph (CFG) obfuscation, debugger detection, and executing direct syscalls, instead of calling Windows NT APIs.
Malware loaders have become quite popular in recent years, as they allow threat actors to plant all kinds of malware on compromised devices while remaining hidden from antivirus programs and other endpoint protection services.
Through The HackerNews
