Cyber security news for all

More

    Experts Reveal New Stealthy SquidLoader Malware Assaulting Chinese Entities

    Cybersecurity aficionados have unmasked an insidious new malware loader, dubbed SquidLoader, that is disseminated through phishing schemes preying on Chinese institutions.

    AT&T LevelBlue Labs, which initially identified the malware in late April 2024, disclosed that it integrates characteristics engineered to subvert both static and dynamic scrutiny, thereby eluding detection.

    The assault methodology utilizes phishing correspondences accompanied by attachments that impersonate Microsoft Word documents but are, in reality, executables that facilitate the deployment of the malware. This malware subsequently retrieves second-stage shellcode payloads from a remote server, including Cobalt Strike.

    “These loaders are replete with sophisticated evasion and deception strategies which enable them to remain undetected while also complicating analysis,” stated security researcher Fernando Dominguez. “The delivered shellcode is loaded within the same loader process, ostensibly to avert writing the payload to disk and thereby mitigate detection risk.”

    SquidLoader employs several obfuscation tactics such as encrypted code segments, redundant code, Control Flow Graph (CFG) obfuscation, debugger detection, and direct syscalls instead of Windows NT APIs invocation.

    Loader malware has burgeoned into a sought-after asset within the criminal underworld, aiding threat actors in deploying and launching additional payloads on compromised systems while circumventing antivirus safeguards and other security protocols.

    In the previous year, Aon’s Stroz Friedberg incident unveiled a loader named Taurus Loader, which was found distributing the Taurus information stealer as well as AgentVX, a trojan capable of deploying further malware, establishing persistence via Windows Registry alterations, and data exfiltration.

    This development aligns with a recent exhaustive analysis of a malware loader and backdoor known as PikaBot, highlighting its continued active development since its inception in February 2023.

    “The malware utilizes advanced anti-analysis methods to evade detection and resist scrutiny, including system inspections, indirect syscalls, encryption of subsequent stages and strings, and dynamic API resolution,” Sekoia revealed. “Recent updates have augmented the malware’s capabilities, rendering it even more elusive and challenging to counter.”

    Moreover, findings from BitSight indicate that the infrastructure linked to another loader malware named Latrodectus has ceased operations following a law enforcement initiative called Operation Endgame, which resulted in the dismantling of over 100 botnet servers associated with IcedID, SystemBC, PikaBot, SmokeLoader, Bumblebee, and TrickBot.

    The cybersecurity firm observed nearly 5,000 distinct victims spanning 10 different campaigns, with a substantial number of victims located in the U.S., the U.K., the Netherlands, Poland, France, Czechia, Japan, Australia, Germany, and Canada.

    Recent Articles

    Related Stories