A recent cybersecurity threat has emerged in the form of a sophisticated backdoor malware named Squidoor, attributed to a suspected Chinese threat actor.
This malware has been targeting various sectors globally, including governments, defense, telecommunications, education, and aviation, particularly in Southeast Asia and South America.
The threat actor, identified as part of the activity cluster CL-STA-0049, has been active since at least March 2023.
Initial Access and Lateral Movement
To gain access to networks, the attackers primarily exploit vulnerabilities in Internet Information Services (IIS) servers and deploy multiple web shells.
These web shells, such as OutlookDC.aspx and Error.aspx, serve as persistent backdoors, allowing the threat actor to maintain access and execute commands on compromised systems.
The attackers use tools like curl and Impacket to spread these web shells across different servers, often concealing them as certificates to evade detection.
Squidoor Malware Capabilities
Squidoor is multi-platform malware available for both Windows and Linux systems, designed for stealth and flexibility.
It supports multiple communication protocols with its command and control (C2) server, including HTTP, reverse TCP and UDP, ICMP tunneling, DNS tunneling, and even Microsoft Outlook API.
According to PaloAlto Networks Report, this variety allows the attackers to adapt to different network environments and remain undetected.
Squidoor can execute arbitrary commands, inject payloads into processes, and exfiltrate sensitive information.
It achieves persistence by using scheduled tasks, such as the “Microsoft\Windows\AppID\EPolicyManager” task.
The malware uses a unique method to communicate via the Outlook API.
It logs in using a hard-coded refresh token and queries the drafts folder for specific emails containing commands.
These commands are encoded and decoded using a combination of Base64, AES, and a custom XOR algorithm, allowing the attackers to send and receive data disguised as legitimate Outlook traffic.
To counter these threats, cybersecurity professionals are advised to utilize advanced security tools such as Cortex XDR and Cloud-Delivered Security Services.
These solutions can help detect and mitigate the sophisticated tactics employed by Squidoor.
Organizations should remain vigilant and monitor for suspicious activity, especially in high-risk sectors.
The use of Squidoor highlights the evolving nature of cyber threats and the need for robust defense strategies to protect against such advanced malware.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.Â
