A new malware campaign featuring SquidLoader is actively targeting financial services institutions in Hong Kong . This sophisticated malware exhibits significant evasion capabilities, achieving near-zero detection rates on VirusTotal at the time of analysis . SquidLoader employs an attack chain culminating in the deployment of a Cobalt Strike Beacon for remote access and control . Its intricate anti-analysis, anti-sandbox, and anti-debugging techniques, coupled with its sparse detection rates, pose a significant threat to targeted organizations .
The SquidLoader campaign begins with targeted spear-phishing emails . These messages, written in Mandarin, impersonate financial institutions and contain a password-protected RAR archive disguised as an invoice . Once opened, users find a malicious PE binary camouflaged as a Microsoft Word document . This file, while visually deceptive, mimics the legitimate “AMDRSServ.exe” to aid in social engineering .
Once executed, SquidLoader embeds itself in the system and begins a multi-stage infection process in which it:
Self-unpacks to decrypt its internal payload.
Dynamically resolves critical Windows APIs through obfuscated code.
Initializes a custom stack-based structure for storing operational data.
Executes a variety of evasion routines designed to bypass sandbox, debugger and antivirus tools.
Contacts a remote command-and-control (C2) server and downloads the Cobalt Strike Beacon .
One of SquidLoader's defining traits is its extensive anti-analysis strategy . It uses environmental checks, string obfuscation, control flow confusion and undocumented Windows syscalls to stay hidden . The malware terminates itself if any known analysis tools or antivirus processes are detected, including “windbg.exe,” “ida64.exe” and “MsMpEng.exe” .
To bypass emulators and automated sandboxes, SquidLoader launches threads with long sleep durations and employs asynchronous procedure calls .
Cybersecurity researchers have uncovered a new evasive malware loader named SquidLoader that spreads via phishing campaigns targeting Chinese organizations . The malware employs various evasion and decoy techniques in order to stay under the radar and avoid detection .
Organizations should exercise caution against phishing attempts and verify the sender's identity before opening attachments or clicking on links . The discovery of SquidLoader highlights the importance of staying vigilant against evolving cyber threats and the need for robust cybersecurity measures to protect sensitive data and systems .