Cybersecurity researchers have recently identified a new threat in the form of a malware loader dubbed SquidLoader, which has been targeting various organizations in China. This malicious loader is distributed via phishing emails, where unsuspecting users receive an executable file disguised as a Word document.
Once the SquidLoader is executed, it employs various evasion techniques to avoid detection and analysis. The loader then proceeds to download a malicious payload through an HTTPS request. Interestingly, the loader is signed with either an expired legitimate certificate or a self-signed certificate issued by the Command and Control (C&C) server, making it harder to track its origins.
One of the unique aspects of SquidLoader is its use of decoy files to mislead security researchers. It executes a decoy file disguised as a Word document, containing obfuscated code that references popular software products like WeChat or mingw-gcc. This deceptive tactic aims to divert attention from the actual malicious payload that is delivered through the HTTPS body in the response and XOR-decrypted for execution.
Although the loader itself does not possess persistence capabilities, it is capable of downloading a second-stage payload known as Cobalt Strike, which can achieve persistence on the victim’s machine. This multi-stage attack strategy is designed to evade traditional security measures and maintain a foothold on the compromised system.
In order to further evade detection and hinder analysis, SquidLoader utilizes a variety of obfuscation techniques. The malware employs single-byte XOR decryption for encrypted code sections as well as multibyte XOR decryption for in-stack encrypted strings. Additionally, it includes meaningless instructions like “pause” or “mfence” to confuse emulators and uses jumps that land in the middle of instructions to thwart disassemblers.
Control flow obfuscation is another key feature of SquidLoader, using infinite loops and complex switch statements to make the execution order unpredictable. The malware also actively detects debuggers and specific processes, making it more challenging for researchers to analyze its behavior and functionality.
A recent analysis report by Level Blue highlights the sophisticated nature of the SquidLoader campaign. The Cobalt Strike loader communicates with the C&C server using a custom protocol and leverages encryption techniques to obfuscate configuration data. The payload exfiltrates system information and receives commands from the C&C server, encrypting the data using a custom bitwise operation-based algorithm.
To further evade detection, SquidLoader employs Win32 API obfuscation with dynamic resolution for position-independent execution. The malware stores API function addresses in an in-memory table, transforming the addresses using bitwise operations before calling the functions. This technique ensures that the malware can successfully interact with the Windows API without exposing the raw addresses to detection mechanisms.
Overall, SquidLoader represents a sophisticated and evasive threat that poses a significant risk to organizations, particularly in China. Its use of deception, obfuscation, and multi-stage attack strategies make it a formidable adversary for cybersecurity professionals. Organizations must remain vigilant and implement robust security measures to protect against such advanced threats in the future.