BREAKING AT&T Data Breach: ‘Nearly All’ Wireless Customers Exposed in Massive Hack
Connect with us

Hi, what are you looking for?


Malware & Threats

Highly Evasive SquidLoader Malware Targets China

A threat actor targeting Chinese-speaking victims has been using the SquidLoader malware loader in recent attacks.

A recently discovered malware loader dubbed SquidLoader is linked to an unknown threat actor that has been targeting Chinese-speaking victims for two years, LevelBlue Labs (formerly AT&T Alien Labs) reports.

SquidLoader was first observed at the end of April, but LevelBlue Labs believes that it had been active for at least a month before. The threat actor using it, however, has been focusing on entities in China for much longer.

The recently observed attacks start with phishing emails delivering malware loaders masquerading as documents intended for Chinese organizations. When executed, the loaders fetched and executed shellcode payloads in the loader process’ memory.

“Due to all the decoy and evasion techniques observed in this loader, and the absence of previous similar samples, LevelBlue Labs has named this malware ‘SquidLoader’,” LevelBlue explains.

Identified SquidLoader samples had been signed with a legitimate, albeit expired, certificate and would connect to command-and-control (C&C) servers that use a self-signed certificate.

Upon execution, the malware loader first duplicates itself to a predefined location using an innocuous name, likely as a decoy technique. In fact, the malware uses various other decoys, as well as multiple evasion techniques to ensure it can remain under the radar.

Some of the observed techniques include pointless or obscure instructions, encrypted code sections, in-stack encrypted strings, jumps to the middle of instructions, return address obfuscation, Control Flow Graph (CFG) obfuscation, debugger detection, and direct syscalls.

During its investigation, LevelBlue Labs observed the malware loader delivering a single payload, namely a Cobalt Strike beacon featuring a configuration previously observed in multiple campaigns targeting Chinese-speaking users.

Advertisement. Scroll to continue reading.

The observed tools, techniques, and procedures (TTPs) align with those of an advanced persistent threat (APT) actor, but LevelBlue Labs says it does not have enough data to classify this threat actor as an APT.

“Given the success SquidLoader has shown in evading detection, it is likely that threat actors targeting demographics beyond China will start to mimic the techniques used by the threat actor responsible for SquidLoader, helping them to to elude detection and analysis on their unique malware samples,” LevelBlue Labs says.

Related: Chinese Hackers Leveraged Legacy F5 BIG-IP Appliance for Persistence

Related: Multiple Chinese APTs Targeted Southeast Asian Government for Two Years

Related: Long-Standing Chinese Cybercrime Campaign Spoofs Over 400 Brands

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.


Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.


People on the Move

ICS and OT cybersecurity solutions provider TXOne Networks appoints Stephen Driggers as new CRO

Identity orchestration provider Strata Identity appoints Aldo Pietropaolo as Field CTO

Cybersecurity provider for the aviation industry Cyviation has appointed Eliran Almog as Chief Executive Officer.

More People On The Move

Expert Insights