Trellix Superior Analysis Heart has uncovered a brand new wave of extremely refined SquidLoader malware actively focusing on monetary companies establishments in Hong Kong. This discovery, detailed in Trellix’s technical evaluation, shared with Hackread.com, highlights a major risk as a result of malware’s near-zero detection charges on VirusTotal on the time of study. Proof additionally factors to a broader marketing campaign, with comparable samples noticed focusing on entities in Singapore and Australia.
A Covert Assault
The assault begins with spear-phishing emails written in Mandarin, precisely crafted to impersonate monetary establishments. These emails ship a password-protected RAR archive containing a malicious executable. The e-mail physique itself is essential to the deception, because it offers the password for the attachment. The topic line typically poses as a “Registration Type for Bond Join Buyers Dealing with Overseas Alternate Enterprise via Abroad Banks.”
The e-mail claims to be from a monetary consultant, requesting the recipient to test and make sure the connected “scanned copy of the Bond Join investor overseas change enterprise registration kind.” This file is cunningly disguised, not solely mimicking a Microsoft Phrase doc icon but additionally falsely adopting the file properties of a reputable AMDRSServ.exe to bypass preliminary scrutiny.
Upon execution, SquidLoader unleashes a fancy five-stage an infection. It first unpacks its core payload, then initiates contact with a Command and Management (C2) server utilizing a URL path that mimics reputable Kubernetes companies (e.g., /api/v1/namespaces/kube-system/companies) to mix with regular community visitors.
This preliminary C2 communication transmits crucial host data, together with IP tackle, username, pc title, and Home windows model, again to its operators. Lastly, the malware downloads and executes a Cobalt Strike Beacon, which then establishes a connection to a secondary C2 server at a unique tackle (e.g., 182.92.239.24), granting attackers persistent distant entry.
Evasive Ways and World Implications
A key purpose for SquidLoader’s hazard is its intensive array of anti-analysis, anti-sandbox, and anti-debugging strategies. These embody checking for particular evaluation instruments like IDA Professional (ida.exe) or Windbg (windbg.exe) and customary sandbox usernames.
Notably, it employs a classy threading trick involving lengthy sleep durations and Asynchronous Process Calls (APCs) to detect and evade emulated environments. Ought to it detect any evaluation try, the malware self-terminates. After its checks, it shows a misleading pop-up message in Mandarin: “The file is corrupted and can’t be opened,” requiring person interplay that may thwart automated sandboxes.
“Its intricate anti-analysis, anti-sandbox, and anti-debugging strategies, coupled with its sparse detection charges, pose a major risk to focused organisations,” Trellix researchers emphasised of their report.
The noticed focusing on in a number of nations highlights the worldwide nature of this evolving risk, urging monetary establishments worldwide, notably in Hong Kong, Singapore, and Australia, to extend their safety in opposition to such extremely evasive adversaries.
