New Highly Evasive SquidLoader Attacking Employees Mimic As Word Document

Researchers discovered a new malware loader named SquidLoader targeting Chinese organizations, which arrives as an executable disguised as a Word document attached to phishing emails. 

It uses evasion techniques to avoid detection and analysis. Then it downloads a malicious payload through an HTTPS request, as the loader is signed with an expired legitimate certificate or a self-signed certificate issued by the C&C server. 

SquidLoader is a malicious loader that executes a decoy file pretending to be a Word document, containing obfuscated code referencing popular software products like WeChat or mingw-gcc, to mislead security researchers.

Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan

Despite the decoy code, the real malicious code is delivered through the HTTPS body in the response and XOR-decrypted for execution.

The loader doesn’t have persistence itself, but the second-stage payload (Cobalt Strike) can achieve persistence on the victim machine.  

Techniques For The Defense Evasion:

SquidLoader utilizes various obfuscation techniques to hinder analysis and employs pointless instructions like “pause” or “mfence” to bypass emulators potentially.

Encrypted code sections are decrypted with a single-byte XOR and include decoy instructions. 

In-stack encrypted strings are decrypted with a multibyte XOR key when needed, where jumps are crafted to land in the middle of instructions, confusing disassemblers.

Overall, these techniques aim to hide malicious code within legitimate functions and make analysis more difficult.

It employs multiple obfuscation techniques to hinder analysis and manipulates the stack to overwrite the return address with the shellcode address. 

Control flow is obfuscated using infinite loops and a complex switch statement that makes execution order unpredictable, while debuggers are detected by checking for specific processes, debugger objects, and kernel debuggers. 

The malware also checks for the presence of certain files and performs its own syscalls through wrappers to bypass potential hooks, making it difficult to understand the malware’s functionality and purpose. 

The analysis report by Level Blue details a Cobalt Strike loader that utilizes a custom communication protocol with the C&C server, where the loader fetches a single payload that leverages a configuration obfuscation technique similar to the loader itself. 

The payload communicates with the C&C server using HTTPS requests with custom headers to perform actions like initial connection, system information exfiltration, and receiving tasks, where the exfiltrated data is encrypted with a custom bitwise operation-based algorithm.  

To evade detection, the malware employs Win32 API obfuscation with dynamic resolution for position-independent execution and builds an in-memory table storing API function addresses. 

Instead of raw addresses, it stores a transformed value using a bitwise operation: the bitwise NOT of the lower DWORD ANDed with 0xCAFECAFE, OR’ed with the address itself ANDed with 0xFFFFFFFF35013501.

Before calling the functions, the malware undoes this transformation to retrieve the correct addresses for a successful API call.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free