Cybersecurity researchers have identified a new evasive malware loader, SquidLoader, which is spreading through phishing campaigns aimed at Chinese organizations.
AT&T LevelBlue Labs, who first detected SquidLoader in late April 2024, noted that the malware has features designed to evade both static and dynamic analysis, making detection difficult.
The malware is distributed through phishing emails with attachments that appear to be Microsoft Word documents but are actually executable binaries. These binaries pave the way for the malware to execute and retrieve second-stage shellcode payloads from a remote server, including Cobalt Strike.
“These loaders feature heavy evasion and decoy mechanisms, which help them remain undetected while also hindering analysis,” explained security researcher Fernando Dominguez. “The shellcode that is delivered is also loaded in the same loader process, likely to avoid writing the payload to disk and thus risk being detected.”
Discover the latest evasive #malware loader, SquidLoader, targeting Chinese organizations via phishing emails. Learn about its advanced anti-analysis techniques and the ongoing threat of loader malware.
Details https://t.co/JJyQ1bECub#cybersecurity
— The Hacker News (@TheHackersNews) June 20, 2024
SquidLoader employs several defensive evasion techniques, such as encrypted code segments, pointless unused code, Control Flow Graph (CFG) obfuscation, debugger detection, and making direct syscalls instead of calling Windows NT APIs.
Loader malware like SquidLoader is popular in the criminal underground, enabling threat actors to deliver and launch additional payloads to compromised hosts while circumventing antivirus defenses and other security measures.
Last year, Aon’s Stroz Friedberg documented a loader known as Taurus Loader, which has been seen distributing the Taurus information stealer as well as AgentVX, a trojan capable of executing additional malware, establishing persistence via Windows Registry changes, and gathering data.
This development coincides with a detailed analysis of another malware loader and backdoor, PikaBot, showing ongoing active development since its debut in February 2023.
“The malware employs advanced anti-analysis techniques to evade detection and hinder analysis, including system checks, indirect syscalls, encryption of next-stage payloads and strings, and dynamic API resolution,” noted Sekoia. “Recent updates to the malware have further enhanced its capabilities, making it even more challenging to detect and mitigate.”
These findings also follow a report from BitSight that the infrastructure for another loader malware, Latrodectus, went offline after a law enforcement operation known as Operation Endgame dismantled over 100 botnet servers, including those linked to IcedID, SystemBC, PikaBot, SmokeLoader, Bumblebee, and TrickBot.
BitSight reported nearly 5,000 distinct victims across 10 different campaigns, with most victims located in the U.S., the U.K., the Netherlands, Poland, France, Czechia, Japan, Australia, Germany, and Canada.
Abdul Rehman
Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He's also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.
