A recently discovered malware loader dubbed SquidLoader is linked to an unknown threat actor that has been targeting Chinese-speaking victims for two years, LevelBlue Labs (formerly AT&T Alien Labs) reports.
SquidLoader was first observed at the end of April, but LevelBlue Labs believes that it had been active for at least a month before. The threat actor using it, however, has been focusing on entities in China for much longer.
The recently observed attacks start with phishing emails delivering malware loaders masquerading as documents intended for Chinese organizations. When executed, the loaders fetched and executed shellcode payloads in the loader process’ memory.
“Due to all the decoy and evasion techniques observed in this loader, and the absence of previous similar samples, LevelBlue Labs has named this malware ‘SquidLoader’,” LevelBlue explains.
Identified SquidLoader samples had been signed with a legitimate, albeit expired, certificate and would connect to command-and-control (C&C) servers that use a self-signed certificate.
Upon execution, the malware loader first duplicates itself to a predefined location using an innocuous name, likely as a decoy technique. In fact, the malware uses various other decoys, as well as multiple evasion techniques to ensure it can remain under the radar.
Some of the observed techniques include pointless or obscure instructions, encrypted code sections, in-stack encrypted strings, jumps to the middle of instructions, return address obfuscation, Control Flow Graph (CFG) obfuscation, debugger detection, and direct syscalls.
During its investigation, LevelBlue Labs observed the malware loader delivering a single payload, namely a Cobalt Strike beacon featuring a configuration previously observed in multiple campaigns targeting Chinese-speaking users.
The observed tools, techniques, and procedures (TTPs) align with those of an advanced persistent threat (APT) actor, but LevelBlue Labs says it does not have enough data to classify this threat actor as an APT.
“Given the success SquidLoader has shown in evading detection, it is likely that threat actors targeting demographics beyond China will start to mimic the techniques used by the threat actor responsible for SquidLoader, helping them to to elude detection and analysis on their unique malware samples,” LevelBlue Labs says.
Related: Chinese Hackers Leveraged Legacy F5 BIG-IP Appliance for Persistence
Related: Multiple Chinese APTs Targeted Southeast Asian Government for Two Years
Related: Long-Standing Chinese Cybercrime Campaign Spoofs Over 400 Brands
