Trellix Superior Analysis Middle has uncovered a brand new wave of extremely refined SquidLoader malware actively concentrating on monetary companies establishments in Hong Kong. This discovery, detailed in Trellix’s technical evaluation, shared with Hackread.com, highlights a major risk as a result of malware’s near-zero detection charges on VirusTotal on the time of research. Proof additionally factors to a broader marketing campaign, with comparable samples noticed concentrating on entities in Singapore and Australia.
A Covert Assault
The assault begins with spear-phishing emails written in Mandarin, precisely crafted to impersonate monetary establishments. These emails ship a password-protected RAR archive containing a malicious executable. The e-mail physique itself is essential to the deception, because it supplies the password for the attachment. The topic line typically poses as a “Registration Kind for Bond Join Buyers Dealing with Overseas Trade Enterprise by way of Abroad Banks.”
The e-mail claims to be from a monetary consultant, requesting the recipient to verify and make sure the hooked up “scanned copy of the Bond Join investor overseas change enterprise registration type.” This file is cunningly disguised, not solely mimicking a Microsoft Phrase doc icon but additionally falsely adopting the file properties of a legit AMDRSServ.exe to bypass preliminary scrutiny.
Upon execution, SquidLoader unleashes a posh five-stage an infection. It first unpacks its core payload, then initiates contact with a Command and Management (C2) server utilizing a URL path that mimics legit Kubernetes companies (e.g., /api/v1/namespaces/kube-system/companies) to mix with regular community site visitors.
This preliminary C2 communication transmits essential host data, together with IP handle, username, laptop title, and Home windows model, again to its operators. Lastly, the malware downloads and executes a Cobalt Strike Beacon, which then establishes a connection to a secondary C2 server at a special handle (e.g., 182.92.239.24), granting attackers persistent distant entry.
Evasive Ways and World Implications
A key cause for SquidLoader’s hazard is its in depth array of anti-analysis, anti-sandbox, and anti-debugging methods. These embrace checking for particular evaluation instruments like IDA Professional (ida.exe) or Windbg (windbg.exe) and customary sandbox usernames.
Notably, it employs a classy threading trick involving lengthy sleep durations and Asynchronous Process Calls (APCs) to detect and evade emulated environments. Ought to it detect any evaluation try, the malware self-terminates. After its checks, it shows a misleading pop-up message in Mandarin: “The file is corrupted and can’t be opened,” requiring consumer interplay that may thwart automated sandboxes.
“Its intricate anti-analysis, anti-sandbox, and anti-debugging methods, coupled with its sparse detection charges, pose a major risk to focused organisations,” Trellix researchers emphasised of their report.
The noticed concentrating on in a number of nations highlights the worldwide nature of this evolving risk, urging monetary establishments worldwide, significantly in Hong Kong, Singapore, and Australia, to extend their safety in opposition to such extremely evasive adversaries.
