Experts Uncover New Evasive SquidLoader Malware Targeting Chinese Organizations
-
Cybersecurity researchers have uncovered a new evasive malware loader named SquidLoader that spreads via phishing campaigns targeting Chinese organizations. AT&T LevelBlue Labs, which first observed the malware in late April 2024, said it incorporates features that are designed to thwart static and dynamic analysis and ultimately evade detection. Attack chains leverage phishing emails that come with attachments that masquerade as Microsoft Word documents, but, in reality, are binaries that pave the way for the execution of the malware, which is then used to fetch second-stage shellcode payloads from a remote server, including Cobalt Strike. "These loaders feature heavy evasion and decoy mechanisms which help them remain undetected while also hindering analysis," security researcher Fernando Dominguez said. "The shellcode that is delivered is also loaded in the same loader process, likely to avoid writing the payload to disk and thus risk being detected." Some of the defensive evasion techniques adopted by SquidLoader encompass the use of encrypted code segments, pointless code that remains unused, Control Flow Graph (CFG) obfuscation, debugger detection, and performing direct syscalls instead of calling Windows NT APIs. Loader malware has become a popular commodity in the criminal underground for threat actors looking to deliver and launch additional payloads to compromised hosts, while bypassing antivirus defenses and other security measures. Last year, Aon's Stroz Friedberg incident detailed a loader known as Taurus Loader that has been observed distributing the Taurus information stealer as well as AgentVX, a trojan with capabilities to execute more malware and set up persistence using Windows Registry changes, and gather data. The development comes as a new in-depth analysis of a malware loader and backdoor referred to as PikaBot has highlighted that it continues to be actively developed by its developers since its emergence in February 2023.
ที่มาแหล่งข่าว
https://thehackernews.com/2024/06/experts-uncover-new-evasive-squidloader.html