SquidLoader: A New Evasive Malware Targeting Chinese Organizations (0penBuckets)

Introduction

LevelBlue Labs has recently uncovered a highly evasive loader, dubbed “SquidLoader,” which is being delivered to specific targets via phishing attachments. A loader is a type of malware designed to load second-stage payloads onto a victim’s system. The absence of previously observed samples in the wild prompted them to name this malware “SquidLoader,” emphasizing its adeptness at evasion and deception. Initial observations of SquidLoader date back to late April 2024, with indications that it had been active for at least a month prior.

SquidLoader’s Deceptive Techniques

SquidLoader exhibits several sophisticated techniques to avoid both static and dynamic analysis. In our sample, SquidLoader delivered a modified Cobalt Strike payload, known for its hardened resistance to static analysis. The configuration of SquidLoader suggests that the same unknown actor has been conducting sporadic campaigns over the past two years, predominantly targeting Chinese-speaking victims. This actor’s techniques and tactics may soon be replicated by other threat actors against non-Chinese speaking organizations.

Phishing Campaign Details

In late April 2024, researchers observed several executables attached to phishing emails. One such sample, named ‘914b1b3180e7ec1980d0bafe6fa36daade752bb26aec572399d2f59436eaa635,’ had a Chinese filename translating to “Huawei industrial-grade router related product introduction and excellent customer cases.” The samples were cleverly disguised with descriptive filenames aimed at luring employees of Chinese companies such as China Mobile Group Shaanxi Co Ltd, Jiaqi Intelligent Technology, and Yellow River Conservancy Technical Institute (YRCTI). Despite appearing as Word Document icons, these were executable binaries.

Mechanism of SquidLoader

The observed samples are loaders that download and execute shellcode payloads via GET HTTPS requests to the /flag.jpg URI. These loaders employ heavy evasion and decoy mechanisms, making them difficult to detect and analyze. The shellcode is loaded within the same loader process, avoiding the risk of being detected by not writing the payload to disk. Most samples were signed with a legitimate but expired certificate from Hangzhou Infogo Tech Co., Ltd. Additionally, the command and control (C&C) servers used a self-signed certificate, making it harder to trace the origin.

Execution and Decoy Strategies

Upon execution, SquidLoader duplicates itself to a predefined location, typically C:\BakFiles\install.exe, and restarts from this new location, creating a decoy without pursuing persistence methods. While SquidLoader itself lacks persistence mechanisms, the delivered Cobalt Strike payload can establish persistence by creating services and modifying registry keys. The shellcode is delivered encrypted with a 5-byte XOR key, enhancing its stealth.

Despite its misleading Word Document appearance, SquidLoader’s samples contain references to popular software products like WeChat and mingw-gcc, further deceiving security researchers. However, this code is never executed as the execution flow is transferred to the payload before reaching these references. Additionally, the malware generates a fake error message in simplified Chinese, claiming a “File format error cannot be opened.”

Evasion Techniques

SquidLoader employs numerous evasion techniques to avoid detection and analysis:

1. Pointless or Obscure Instructions: It includes obscure x86 instructions like “pause,” “mfence,” or “lfence,” and filler instructions to bypass antivirus emulators.
2. Encrypted Code Sections: The malware decrypts bundled shellcode in dynamically allocated memory, using single-byte XOR encryption.
3. In-Stack Encrypted Strings: Sensitive strings are stored as XOR encrypted local variables, decrypted only when needed.
4. Jumping to the Middle of Instructions: Functions include jumps to addresses within other functions, confusing linear disassemblers and hiding the true code flow.
5. Return Address Obfuscation: Stack manipulation techniques obscure return addresses, hindering analysis.
6. Control Flow Graph (CFG) Obfuscation: CFG is flattened into infinite loops with vast switch statements, making it hard to follow the execution order without dynamic analysis.
7. Debugger Detection: SquidLoader detects and reacts to the presence of debuggers by executing illegal instructions or manipulating key functions to avoid network traffic.
8. File Checking: The malware exits if it detects certain files, though the purpose of this check remains unclear.
9. Direct Syscalls: SquidLoader avoids Windows NT APIs by using its own syscall wrappers, bypassing potential hooks and hiding from execution logs.

Payload and Command & Control

The Cobalt Strike payload observed was modified similarly to SquidLoader and lacked anti-debug or anti-VM mechanisms. It mimicked Kubernetes traffic, using specific HTTP headers to communicate with the C&C server. The payload continuously pings the C&C if the response is not as expected, exfiltrating system information and receiving tasks based on predefined headers.

Conclusion

SquidLoader stands out for its extensive evasion techniques and minimal detections. The consistent use of the same Cobalt Strike configuration over two years suggests a focused and persistent threat actor, though not yet classifiable as an APT. Given its success in evading detection, other threat actors may soon adopt SquidLoader’s techniques, posing a broader threat. LevelBlue Labs will continue monitoring this actor and the evolving tactics to keep clients protected from emerging malware threats.