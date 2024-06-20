Some cybersecurity researchers have discovery a new evasive malware, which has been dubbed SquidLoader, which spreads through phishing campaigns targeting Chinese organizations; so although in other cases Chinese cybercriminals have been the protagonists of hacking stories, with SquidLoader the situation is reversed.

AT&T LevelBlue Labs researchers’ analyzes of SquidLoader

AT&T LevelBlue Labs, which first identified the malware in late April 2024, explained that SquidLoader incorporates features designed to evade both static and dynamic analysis, making it difficult to detect.

The attacks use phishing emails with attachments that pose as Microsoft Word documents, but in reality they are executable files that allow the execution of malware; this, in turn, downloads other malicious code from a remote serverincluding the well-known Cobalt Strike.

“These loaders are equipped with heavy evasion and deception mechanisms that help them remain undetected and complicate analysis“, has declared security researcher Fernando Dominguez. “The malicious code is loaded in the same process as the loader, probably to avoid writing the payload to disk and therefore risking detection.“

Evasion techniques employed by SquidLoader include the use of encrypted code segments, unused useless code, Control Flow Graph (CFG) obfuscation, debugger detection, and directly executing syscalls instead of calling Windows NT APIs.

The rise in popularity of malware loaders

This isn’t just about SquidLoader. Malware loaders have become a popular commodity in the world of cybercrime, used by cybercriminals to deliver and launch additional payloads onto compromised hosts, bypassing antivirus defenses and other security measures.

What does this mean? That if the pincopallo.exe file is not recognized as malware by the antivirus, will start the taldeitali.exe file externally, thus affecting the antivirus.

Last year, an incident detailed by Aon’s Stroz Friedberg described a loader known as Taurus Loaderobserved handing out the information thief Taurus and the trojan known as AgentVXcapable of running other malware, setting persistence by modifying the Windows Registry, and collecting data.

This discovery comes as a new in-depth analysis of a malware loader and backdoor called PikaBot highlighted that its development is still active by its creators, since its appearance in February 2023.

SquidLoader’s evasive techniques to avoid being caught by antiviruses

“The malware uses advanced anti-analysis techniques to evade detection and make analysis difficult, including system checks, indirect syscalls, next-stage and string encryption, and dynamic API resolution“, has declared Sekoia. “Recent updates to the malware have further improved its capabilities, making it even more difficult to detect and mitigate.”

These discoveries followed by investigations by BitSight, which found that the infrastructure linked to another malware loader called Latrodectus was taken offline following a police operation called Operation Endgame; this operation took down over 100 botnet servers, including those associated with IcedID, SystemBC, PikaBot, SmokeLoader, Bumblebee, and TrickBot.

The cybersecurity company observed nearly 5,000 distinct victims across 10 different campaignswith the majority of victims located in the United States, United Kingdom, Netherlands, Poland, France, Czech Republic, Japan, Australia, Germany and Canada.

How to Mitigate SquidLoader and Similar Malware

To protect yourself from SquidLoader and similar malware, it is crucial to take preventative security measures. First, companies should implement a robust safety training program to raise employee awareness of the risks of phishing and teach them to recognize suspicious emails; It is also essential to keep all software and operating systems up to date, as many cyber threats exploit known vulnerabilities.

The use of advanced security solutions, such as the latest generation antivirus software (for home users, for example Malwarebytes is excellent), AI-based threat detection tools and network monitoring systems, can help identify and block suspicious behavior ; companies should also implement strict access control policies and use multi-factor authentication to protect critical accounts.

Finally, careful privilege management, ensuring that users have only the permissions necessary to perform their functions, can limit the damage in the event of a compromise; constantly monitoring network activity and conducting regular security audits can help quickly detect and respond to any attacks, thus minimizing the impact of malware.