New evasive SquidLoader malware targeting Chinese organizations has been uncovered by experts.

Facebook
X
LinkedIn
Pinterest
Threads
Email

A new evasive malware loader named SquidLoader, which spreads via phishing campaigns targeting Chinese organizations, has been uncovered by cybersecurity researchers.

AT&T LevelBlue Labs, which originally noticed the malware in late April 2024, said it incorporates highlights that are intended to foil static and dynamic examination and eventually evade detection.

Attack chains influence phishing messages that accompany attachments that take on the appearance of Microsoft Word documents, at the same time, as a general rule, are parallels that prepare for the execution of the malware, which is then used to bring second-stage shellcode payloads from a distant server, including Cobalt Strike.

Security researcher Fernando Dominguez said,”These loaders feature heavy evasion and decoy mechanisms which help them remain undetected while also hindering analysis.””The shellcode that is conveyed is likewise stacked in a similar loader process, liable to try not to write the payload to disk and subsequently risk being detected.”

A portion of the defensive evasion techniques took on by SquidLoader incorporate the utilization of encrypted code segments, pointless code that stays unused, Control Flow Graph (CFG) obfuscation, debugger recognition, and performing direct syscalls as opposed to calling Windows NT APIs.

Loader malware has turned into a well-known product in the criminal underground for threat actors looking to convey and send off extra payloads to compromised hosts, while bypassing antivirus safeguards and other safety measures.

Last year, Aon’s Stroz Friedberg incident detailed a loader known as Taurus Loader that has been noticed conveying the Taurus data stealer as well as AgentVX, a trojan with capacities to execute more malware and set up diligence using Windows Registry changes, and assemble data.

A new in-depth analysis of a malware loader and backdoor referred to as PikaBot has highlighted that it is being actively developed by its developers since its emergence in February 2023.

Sekoia said, “The malware employs advanced anti-analysis techniques to evade detection and harden analysis, including system checks, indirect syscalls, encryption of next-stage and strings, and dynamic API resolution.The recent updates to the malware have further enhanced its capabilities, making it even more challenging to detect and mitigate.”

It likewise follows discoveries from BitSight that the infrastructure connected with another loader malware called Latrodectus has gone  offline in the wake of a law enforcement effort dubbed Operation Endgame that saw north of 100 botnet servers, incorporating those related with IcedID, SystemBC, PikaBot, SmokeLoader, Bumblebee, and TrickBot, dismantled.

The cyber security compony said it noticed almost 5,000 distinct victim spread across 10 unique missions, with a larger part of the victims situated in the U.S., the U.K., the Netherlands, Germany, Canada, Poland, France, Czechia, Australia and Japan.

Never Miss An Update
Never miss any important news. Subscribe to our newsletter.
Latest News

Subscribe to our newsletter

Sign up for newsletter and receive exclusive cyber news regularly