Cybersecurity researchers have uncovered a brand new evasive malware loader named SquidLoader that spreads by way of phishing campaigns concentrating on Chinese language organizations.
AT&T LevelBlue Labs, which first noticed the malware in late April 2024, mentioned it incorporates options which can be designed to thwart static and dynamic evaluation and in the end evade detection.
Assault chains leverage phishing emails that include attachments that masquerade as Microsoft Phrase paperwork, however, in actuality, are binaries that pave the best way for the execution of the malware, which is then used to fetch second-stage shellcode payloads from a distant server, together with Cobalt Strike.
“These loaders feature heavy evasion and decoy mechanisms which help them remain undetected while also hindering analysis,” safety researcher Fernando Dominguez mentioned. “The shellcode that is delivered is also loaded in the same loader process, likely to avoid writing the payload to disk and thus risk being detected.”
A few of the defensive evasion methods adopted by SquidLoader embody using encrypted code segments, pointless code that is still unused, Management Stream Graph (CFG) obfuscation, debugger detection, and performing direct syscalls as an alternative of calling Home windows NT APIs.
Loader malware has grow to be a preferred commodity within the prison underground for menace actors trying to ship and launch extra payloads to compromised hosts, whereas bypassing antivirus defenses and different safety measures.
Final 12 months, Aon’s Stroz Friedberg incident detailed a loader often called Taurus Loader that has been noticed distributing the Taurus data stealer in addition to AgentVX, a trojan with capabilities to execute extra malware and arrange persistence utilizing Home windows Registry adjustments, and collect information.
The event comes as a brand new in-depth evaluation of a malware loader and backdoor known as PikaBot has highlighted that it continues to be actively developed by its builders since its emergence in February 2023.
“The malware employs advanced anti-analysis techniques to evade detection and harden analysis, including system checks, indirect syscalls, encryption of next-stage and strings, and dynamic API resolution,” Sekoia mentioned. “The recent updates to the malware have further enhanced its capabilities, making it even more challenging to detect and mitigate.”
It additionally follows findings from BitSight that the infrastructure associated to a different loader malware known as Latrodectus has gone offline within the wake of a legislation enforcement effort dubbed Operation Endgame that noticed over 100 botnet servers, together with these related to IcedID, SystemBC, PikaBot, SmokeLoader, Bumblebee, and TrickBot, dismantled.
The cybersecurity firm mentioned it noticed almost 5,000 distinct victims unfold throughout 10 completely different campaigns, with a majority of the victims situated within the U.S., the U.Ok., the Netherlands, Poland, France, Czechia, Japan, Australia, Germany, and Canada.
