Chinese organizations are being targeted with a new evasive malware loader called SquidLoader.
Cybersecurity researchers from AT&T LevelBlue Labs found threat actors have been active since at least April 2024, and have been sending out phishing emails to Chinese organizations, which were carrying fake Microsoft Word documents as attachments.
These documents were, in fact, binaries that run SquidLoader which, in turn, deploys second-stage shellcode payloads from remote servers. Among the payloads are Cobalt Strike beacons, too.
Evasion techniques
Cobalt Strike is a commercial penetration testing tool designed to emulate advanced persistent threat (APT) actors. Cybersecurity professionals usually use it to assess the security posture of networks, by simulating real-world cyberattacks. It can mimic the tactics, techniques, and procedures (TTP) of sophisticated threat actors, run red teaming, and includes a range of post-exploitation tools.
The tool itself is not malicious but it has, long ago, been hijacked by hackers. Threat actor groups found its powerful features and effectiveness great for running malware campaigns.
While the second-stage payloads are nothing out of the ordinary, the evasion mechanisms of the initial loader caught the researchers’ attention:
“These loaders feature heavy evasion and decoy mechanisms which help them remain undetected while also hindering analysis,” said security researcher Fernando Dominguez. “The shellcode that is delivered is also loaded in the same loader process, likely to avoid writing the payload to disk and thus risk being detected.”
For example, SquidLoader uses encrypted code segments, worthless and unused code, Control Flow Graph (CFG) obfuscation, debugger detection, and running direct syscalls, instead of calling Windows NT APIs.
Malware loaders have gotten quite popular in these last couple of years, as they allow threat actors to deploy all kinds of malware to compromised devices, while remaining hidden from antivirus programs and other endpoint protection services.
Via TheHackerNews
More from TechRadar Pro
https://cdn.mos.cms.futurecdn.net/8wom7TXsEex7ExUd8LhF2n-1200-80.jpg
Source link