A brand new wave of malware focusing on monetary establishments in Hong Kong has been recognized, that includes SquidLoader.
This stealthy loader deploys the Cobalt Strike Beacon and boasts superior anti-analysis techniques.
In a brand new advisory printed on Monday, safety researchers at Trellix mentioned the malware has been noticed evading practically all detection, making it significantly harmful for its meant victims.
Extremely Evasive, Multi-Stage Assault Chain
The SquidLoader marketing campaign begins with focused spear-phishing emails. These messages, written in Mandarin, impersonate monetary establishments and include a password-protected RAR archive disguised as an bill.
As soon as opened, customers discover a malicious PE binary camouflaged as a Microsoft Phrase doc. This file, whereas visually misleading, mimics the professional “AMDRSServ.exe” to assist in social engineering.
As soon as executed, SquidLoader embeds itself within the system and begins a multi-stage an infection course of by which it:
-
Self-unpacks to decrypt its inner payload
-
Dynamically resolves important Home windows APIs via obfuscated code
-
Initializes a customized stack-based construction for storing operational knowledge
-
Executes quite a lot of evasion routines designed to bypass sandbox, debugger and antivirus instruments
-
Contacts a distant command-and-control (C2) server and downloads the Cobalt Strike Beacon
In depth Anti-Evaluation and Evasion Options
One in all SquidLoader’s defining traits is its in depth anti-analysis technique. It makes use of environmental checks, string obfuscation, management stream confusion and undocumented Home windows syscalls to remain hidden. The malware terminates itself if any identified evaluation instruments or antivirus processes are detected, together with “windbg.exe,” “ida64.exe” and “MsMpEng.exe.”
To bypass emulators and automatic sandboxes, SquidLoader launches threads with lengthy sleep durations and employs asynchronous process calls to observe for irregular conduct. If any examine fails or the system exhibits indicators of debugging, the malware exits.
One other tactic contains displaying a faux error message in Mandarin, “The file is corrupted and can’t be opened,” which requires person interplay, additional impeding automated evaluation.
After these checks, SquidLoader contacts a C2 server utilizing a URL that mimics Kubernetes service paths, prone to mix in with regular enterprise visitors. It then gathers and transmits host knowledge, together with username, IP tackle, OS model and administrative standing.
Lastly, it downloads a Cobalt Strike Beacon from a secondary IP tackle, granting persistent distant entry to attackers.
The marketing campaign is geographically centered, with sturdy indicators of focusing on establishments in Hong Kong. Nevertheless, related samples recommend associated assaults could also be underway in Singapore and Australia.
To defend in opposition to threats corresponding to SquidLoader, organizations ought to contemplate strengthening e mail filtering, endpoint monitoring and behavioral evaluation capabilities.
