Squidoor: Multi-Vector Malware Exploiting Outlook API, DNS & ICMP Tunneling for C2

A newly identified malware, dubbed “Squidoor,” has emerged as a sophisticated threat targeting government, defense, telecommunications, education, and aviation sectors in Southeast Asia and South America.

Attributed to a suspected Chinese threat actor under the activity cluster CL-STA-0049, Squidoor employs advanced techniques to infiltrate networks, maintain persistence, and exfiltrate sensitive data.

This modular backdoor is designed for stealth and adaptability, making it a formidable tool for cyber espionage.

Multi-Protocol Command-and-Control (C2) Techniques

Squidoor leverages multiple covert communication methods to interact with its command-and-control (C2) servers.

Key among these are the Outlook API, DNS tunneling, and ICMP tunneling.

The Windows variant of Squidoor supports ten distinct C2 communication methods, while its Linux counterpart offers nine.

These methods include HTTP-based communication, reverse TCP/UDP connections, named pipes for internal communication, and even masquerading as an Outlook mail client using the Microsoft Graph API.

The Outlook-based communication is particularly insidious.

Squidoor uses hard-coded refresh tokens to authenticate with Microsoft’s identity platform and interacts with the Outlook REST API to send and retrieve commands disguised as email drafts.

This approach blends malicious traffic with legitimate network activity, making detection challenging.

Initial Access and Lateral Movement

The attackers gain initial access by exploiting vulnerabilities in Internet Information Services (IIS) servers and deploying web shells such as OutlookDC.aspx and TimeoutAPI.aspx.

According to Palo Alto Networks Report, these web shells serve as persistent entry points for executing commands on compromised systems.

Once inside, the malware spreads laterally across networks using tools like curl and Impacket, often disguising payloads as legitimate files.

Persistence Through LOLBAS Techniques

Squidoor employs a rarely observed Living-Off-the-Land Binary-and-Script (LOLBAS) technique using Microsoft’s Console Debugger (cdb.exe).

Renamed as fontdrvhost.exe, this binary is used to load shellcode directly into memory, bypassing traditional antivirus detection.

Persistence is maintained via scheduled tasks that execute Squidoor’s payloads upon system startup.

The malware’s modular architecture enables a wide range of capabilities, including host reconnaissance, arbitrary command execution, file exfiltration, payload delivery, and lateral communication between infected endpoints.

Squidoor also supports code injection into processes like mspaint.exe or conhost.exe, further evading detection by security tools.

Additional modules allow attackers to execute PowerShell scripts without invoking the PowerShell binary or perform pass-the-hash attacks.

Squidoor represents a significant evolution in malware design, combining stealthy communication channels with modular functionality to target high-value organizations.

Its multi-platform compatibility and ability to blend into legitimate network traffic underscore the growing sophistication of state-sponsored cyber threats.

Security professionals are urged to implement robust detection measures and leverage advanced threat prevention tools to counteract such threats effectively.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free