Saturday, July 20, 2024

New Highly Evasive SquidLoader Attacking Employees Mimic As Word Document

Researchers discovered a new malware loader named SquidLoader targeting Chinese organizations, which arrives as an executable disguised as a Word document attached to phishing emails

It uses evasion techniques to avoid detection and analysis. Then it downloads a malicious payload through an HTTPS request, as the loader is signed with an expired legitimate certificate or a self-signed certificate issued by the C&C server. 

WeChat code never executed.

SquidLoader is a malicious loader that executes a decoy file pretending to be a Word document, containing obfuscated code referencing popular software products like WeChat or mingw-gcc, to mislead security researchers.

Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan

Despite the decoy code, the real malicious code is delivered through the HTTPS body in the response and XOR-decrypted for execution.

The loader doesn’t have persistence itself, but the second-stage payload (Cobalt Strike) can achieve persistence on the victim machine.  

Alert generated by malicious code.

Techniques For The Defense Evasion:

SquidLoader utilizes various obfuscation techniques to hinder analysis and employs pointless instructions like “pause” or “mfence” to bypass emulators potentially.

Encrypted code sections are decrypted with a single-byte XOR and include decoy instructions. 

In-stack encrypted strings are decrypted with a multibyte XOR key when needed, where jumps are crafted to land in the middle of instructions, confusing disassemblers.

Overall, these techniques aim to hide malicious code within legitimate functions and make analysis more difficult.

Fixed function parsing by IDA

It employs multiple obfuscation techniques to hinder analysis and manipulates the stack to overwrite the return address with the shellcode address. 

Control flow is obfuscated using infinite loops and a complex switch statement that makes execution order unpredictable, while debuggers are detected by checking for specific processes, debugger objects, and kernel debuggers. 

The malware also checks for the presence of certain files and performs its own syscalls through wrappers to bypass potential hooks, making it difficult to understand the malware’s functionality and purpose. 

Code modifications after a debugger is detected

The analysis report by Level Blue details a Cobalt Strike loader that utilizes a custom communication protocol with the C&C server, where the loader fetches a single payload that leverages a configuration obfuscation technique similar to the loader itself. 

The payload communicates with the C&C server using HTTPS requests with custom headers to perform actions like initial connection, system information exfiltration, and receiving tasks, where the exfiltrated data is encrypted with a custom bitwise operation-based algorithm.  

C&C request sample.

To evade detection, the malware employs Win32 API obfuscation with dynamic resolution for position-independent execution and builds an in-memory table storing API function addresses. 

Instead of raw addresses, it stores a transformed value using a bitwise operation: the bitwise NOT of the lower DWORD ANDed with 0xCAFECAFE, OR’ed with the address itself ANDed with 0xFFFFFFFF35013501.

Before calling the functions, the malware undoes this transformation to retrieve the correct addresses for a successful API call.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free


Latest articles

Hackers Claiming Dettol Data Breach: 453,646 users Impacted

A significant data breach has been reported by a threat actor known as 'Hana,'...

CrowdStrike Update Triggers Widespread Windows BSOD Crashes

A recent update from cybersecurity firm CrowdStrike has caused significant disruptions for Windows users,...

Operation Spincaster Disrupts Approval Phishing Technique that Drains Victim’s Wallets

Chainalysis has launched Operation Spincaster, an initiative to disrupt approval phishing scams that have...

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which...

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and...

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are...

Hackers Exploiting Legitimate RMM Tools With BugSleep Malware

Since October 2023, MuddyWater, which is an Iranian threat group linked to MOIS, has...

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles